Larry_Ellis the rationale here was that sometimes the platform (app or server) can't be controlled. Typically a server environment is where this functionality would be needed the least since they can do exactly what you suggested. The Google Authenticator app does have a time sync function and I have had to use it even with my phone's time being synced to the carrier. But I do see your point. Perhaps this is an area where an extension would be more appropriate rather than bloating the base library. That way the consumer could choose if it were needed or not. I am liking that idea the more I think about it, what are your thoughts? Thanks for the feedback Larry.
I'm not aware Google Authenticator has a time-sync function. Maybe that's an Android-only feature. Anyway, gmail 2FA appears to tolerate time differences that are +/- 5 minutes of standard. This is what we do in our TOTP code, even though our server is NTP-synced; so we allow for moderate client time differences. I don't like clients that NTP-sync, since they proliferate NTP requests against scarce resources (the NTP servers). Imagine 50 apps on a single server, all independently doing their own NTP processing! But your suggestion to make it an extension might be a good compromise.