ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CA Mobile OTP Authentication Fails Due To INVALID OTP Error In A Newly Created Strong Authentication Setup

book

Article ID: 36177

calendar_today

Updated On:

Products

CA Advanced Authentication CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Strong Authentication

Issue/Introduction

During authentication user is getting "invalid OTP" error even if correct PIN is entered in CA Mobile OTP app.

We are implementing CA Strong Authentication solution using CA Strong Authentication 8.x. Our requirement is to authenticate users via CA Mobile OTP App using a time-based token. To achieve this we have doing following steps:

1. Installed CA Strong Authentication successfully

2. Created the proper TOTP issuance profile and authentication profile on CA Strong Authentication

3. After this we have done the provisioning of the user account by selecting a PIN through CA Mobile OTP App

4. Now we are trying to authenticate the OTP which is generated using the same PIN

Cause

The factory setting of "Authentication Look Back Count" and "Synchronization Look Back Count" is configured as 0. If you enable the CA Strong Authentication logs in DETAIL mode, you will see OTP authentication logs similar to below:

 - Attempting to use the DK ( Config Name : [DefaultKeySym] ) corresponding to the current ArcotOTP

 - ---------------------------------------------------------------

 - OTPCounterTolerance

 -          OTPCounterAuthLookAhead : 10

 -          OTPCounterAuthLookBack : 0

 -          OTPCounterReSyncLookAhead : 100

 -          OTPCounterReSyncLookBack : 0

 - ---------------------------------------------------------------

 - HandleTOTP:: CurrentTime (epoch) : 1452092371, LastKnownDrift : 0, Step : 30, LastVerifiedCounter = 0

 - HandleTOTP::ReferenceCounter : 48403079, Auth Window: [48403079, 48403089], Sync Window : [48403079, 48403179]

 - FindMatch:: Trying a match between StartingCounter : 48403079, EndCounter : 48403179

 - VerifyOTP Result : INVALID_OTP

As the look back authentication/synchronization time is 0, the tolerance window is small. This is applicable when the client device(mobile app or desktop client) time is behind the Strong Auth Server time(DB time) by few seconds or user delays to submit the OTP by few moments. This small time difference results in Invalid OTP error.

 

Environment

CA Strong Authentication 9.x

CA Mobile OTP Android app(any release)

CA Mobile OTP IOS app(any release)

CA Mobile OTP Desktop client(any release)

Credential Type: CA Mobile OTP (ArcotOTP-OATH) - TOTP(Time based OTP)

 

Resolution

Follow below steps to configure the server tolerance for small time difference between server and client device

1. Log in as Global Administrator.

2. Click the Services and Server Configurations tab on the main menu.

3. Click the CA Strong Authentication tab in the submenu.

4. Under the CA Mobile OTP-OATH section, click the Authentication link to display the CA Mobile OTP-OATH Authentication Policy page.

5. Now create/update the Policy Configuration section and increase values of below configurations.

   - Authentication Look Back Count

   - Synchronization Look Back Count 

   You can use the same value as Authentication Look Ahead Count(default 10) and Synchronization Look Ahead Count(default 100).