This does not reflect an issue in Google Chrome, so unfortunately this bug tracker is not the appropriate place to report the issue.

My understanding is that TOTP tokens typically allow use of tokens after expiration for a configurable period to account for the possibility of clock skew between the client and the server.

https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
Both the server and the client compute the token, then the server checks if the token supplied by the client matches the locally generated token. Some servers allow codes that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays.

https://www.google.com/about/appsecurity/reward-program/ is Google's more general mechanism for reporting security issues in Google's sites and services, but if you're using a Google Library in your service, its bug tracker may be the most appropriate mechanism to ask for clarification.

Please see https://github.com/google/google-authenticator/issues/112

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot