FAQ’s for settings HOTP times based credentials


Article ID: 156892


Updated On:


VIP Authentication Service



Review the following before modifying the settings below:
 How do I determine the right settings for my Web site?

 Configure the security settings manually only if you fully understand each setting. Your selections result in a tradeoff between convenience for your users and security. When you  increase the settings, you also increase the number of valid security codes the validation server accepts. This potentially elevates the security risk. If you are uncertain about setting the  window sizes, use one of the predefined security levels suitable for your organization's security needs.

What happens when a user enters too many invalid security codes?

 When a user enters too many invalid security codes, their credential is locked and they cannot use it to sign in to their accounts. The user must contact your support department to  unlock their credential. The Maximum Validation Failures setting controls the number of invalid security codes allowed before a credential locks.

 How are security codes validated?

 HOTP time-based credentials contain an internal clock that is used with a unique key stored in the credential to generate security codes. The Symantec validation server has a copy of the  credential key and clock time, and can generate the same security codes as the credential. Over time, the credential clock may speed up or slow down and get out of synchronization  with the validation server clock. The time difference between the credential clock and the validation server clock is called drift. Because there is often a time difference between the two  clocks, the validation server checks security codes for a range of time drift and accepts any security code within that range. The Validation Window sets the range of time drift. The  validation server rejects security codes that are outside of the Validation Window.

What happens when the time drift is beyond the Validation Window?

 When you enable Auto Sync, the validation server automatically synchronizes its clock with the credential clock. The Auto Sync Window sets the range of time drift that triggers an  automatic synchronization. When drift gets beyond the Auto Sync Window, the user can manually synchronize their credential by entering two consecutive security codes. The Manual  Sync Window sets the range of time drift in which the user can perform a manual synchronization.

 What happens when the time drift is beyond the Manual Sync Window?

 When the amount of drift is beyond the Manual Sync Window, the credential becomes unusable and the user must obtain a new credential.

For more information, click Help and Support in the upper-right corner of VIP Manager.