HOTP (Duo-protected accounts) passcodes are valid until they have been used. If a second passcode is generated and used before the first, then the first becomes invalid. The passcode will remain on display until you either generate another passcode or close the application. If you “hide” a passcode by pressing the arrow icon, the code will refresh if it has been in use for over 15 seconds since it was issued.

TOTP (used to protect third-party accounts) passcodes in Duo are generated in 30-second windows. This means every 30 seconds from the moment the code is revealed to the user a new TOTP passcode is generated. The actual expiration time of the code depends on the third-party service receiving the code.

Duo Mobile can also generate TOTP passcodes for Offline Access on the Duo Authentication for Windows Logon (RDP) application. These passcodes are generated in 30-second windows. The clocks on the Windows machine and the mobile device generating these passcodes must be in sync, within 120 seconds of each other, in order for authentication with these passcodes to succeed.

Related Article:

• Why is the Duo Mobile app third-party passcode timer not in sync with other authenticator app timers?