Accounts-2fa token remain valid for about 5 minutes

How can i configure the tokens to expire after 60 seconds
right now the default is about 5 minutes

i can literally use the same token even though it changed on the auth for another straight 5 minutes

is there a way to handle it? on the docs i don’t see a way to configure this

I think it’s not configurable and it is 10 minutes now.
I’m not sure it works or not but you could give it a try:
Put this code somewhere in your app (server side):

import { Accounts } from 'meteor/accounts-base';
import twofactor from 'node-2fa';
// ...
Meteor.startup(() => {
  Accounts._isTokenValid = (secret, code) => {
    if (Meteor.isServer) {
      throw new Meteor.Error(
        'The function _isTokenValid can only be called on the server'
    return twofactor.verifyToken(secret, code, 1) !== null;

This is the recommended way for 2fa tokens to work, and necessary to support hardware TOTP devices that don’t connect to the internet to sync the time. Their clocks drift over time, some by a minute or two a year. When I looked into it a year or two ago, the current window for valid tokens seemed to be a common choice, but we also avoided a smaller value because accounts-2fa doesn’t have a recovery token or backup 2fa methods, so we didn’t want a clock drift to block someone from their account.

not sure where is the issue in adding param window in addition so we control it

You can make it. Create a pull request. That’s how open source works.