Last modified: 2014-05-11 09:34:40 UTC
Right now the window size is hardcoded to (I think) 30 seconds and the leniency is hardcoded to 4 windows. They should be configurable.
I should also note that the TOTP RFC recommends using a window size of 30 seconds and a leniency of 1 window in each direction. If WMF uses NTP on their servers, that should not be an issue since most TOTP apps have time synchronization.
Change 132784 had a related patch set uploaded by Parent5446: Make authentication window size and leniency configurable https://gerrit.wikimedia.org/r/132784