Thank you @Lukas for this answer. I totally get that. Some systems offer to define an offset windows (up to 10 cycles in general), just to share this information with you.
Would you be interested in implementing the following mecanism ?
– Use NTP time to check TOTP (and user can even select the NTP server he wants to use when installing matomo and later through matomo’s settings)
– If fails use Server Time TOTP
To me this would offer better resilience to server time drift. And it turns to be this is exactly what I am experiencing here, with different behaviors and resiliences from matomo and wordfence and thus, different results (can’t/can access…).