We are using TOTP(https://datatracker.ietf.org/doc/html/rfc6238) for a web application to enhance the security. TOTP works on UTC. if system clock drifts OR NTP is not synced, TOTP generated by application (like MS Authenticator, or Google authenticator or https://totp.danhersam.com/) will not be same as of OTP generated by web-app. We thought of adding current Date+Time+TZ in error message along with "Invalid TOTP".
So my question is, Information of websites time (lagging or ahead), how attacker can use in any possible way and will make adding date+time+tz information in error message a bad idea ?
Are there any time based attacks?
Date
HTTP response header, so displaying this in the UI as well would make no difference.