---
title: Authentication Codes Must Expire Quickly
impact: MEDIUM
impactDescription: limits window for code interception attacks
tags: authentication, codes, expiry, otp, security, csharp
---

## Authentication Codes Must Expire Quickly

Authorization codes, OTPs, and email verification tokens must have short lifetimes.

**Incorrect (long expiry):**

```csharp
// Generating a token valid for 24 hours
var token = GenerateToken();
_cache.Set(token, userId, TimeSpan.FromHours(24)); 
```

**Correct (short expiry):**

```csharp
// 5 minutes for OTP/Auth Codes
_cache.Set(token, userId, TimeSpan.FromMinutes(5));

// Identity config
services.Configure<DataProtectionTokenProviderOptions>(options =>
{
    options.TokenLifespan = TimeSpan.FromMinutes(15); // For password reset / email confirm
});
```

**Tools:** ASP.NET Identity Options, Manual Review