CA Mobile OTP Authentication Fails Due To INVALID OTP Error In A Newly Created SA Setup

book

Article ID: 36177

calendar_today

Updated On:

Products

CA Rapid App Security CA Advanced Authentication CA API Gateway

Issue/Introduction

Issue: During authentication user is getting "invalid OTP" error even if correct PIN is entered in CA Mobile OTP app.

We are implementing CA Strong Authentication solution using CA Strong Authentication 8.x. Our requirement is to authenticate users via CA Mobile OTP App using a time-based token. To achieve this we have doing following steps:

1. Installed CA Strong Authentication successfully

2. Created the proper TOTP issuance profile and authentication profile on CA Strong Authentication

3. After this we have done the provisioning of the user account by selecting a PIN through CA Mobile OTP App

4. Now we are trying to authenticate the OTP which is generated using the same PIN

 

Environment:

CA Strong Authentication 8.1

CA Mobile OTP Android app(any release)

CA Mobile OTP IOS app(any release)

CA Mobile OTP Desktop client(any release)

Credential Type: CA Mobile OTP (ArcotOTP-OATH) - TOTP(Time based OTP)

 

Cause:

The factory setting of "Authentication Look Back Count" and "Synchronization Look Back Count" is configured as 0. If you enable the CA Strong Authentication logs in DETAIL mode, you will see OTP authentication logs similar to below:

 - Attempting to use the DK ( Config Name : [DefaultKeySym] ) corresponding to the current ArcotOTP

 - ---------------------------------------------------------------

 - OTPCounterTolerance

 -          OTPCounterAuthLookAhead : 10

 -          OTPCounterAuthLookBack : 0

 -          OTPCounterReSyncLookAhead : 100

 -          OTPCounterReSyncLookBack : 0

 - ---------------------------------------------------------------

 - HandleTOTP:: CurrentTime (epoch) : 1452092371, LastKnownDrift : 0, Step : 30, LastVerifiedCounter = 0

 - HandleTOTP::ReferenceCounter : 48403079, Auth Window: [48403079, 48403089], Sync Window : [48403079, 48403179]

 - FindMatch:: Trying a match between StartingCounter : 48403079, EndCounter : 48403179

 - VerifyOTP Result : INVALID_OTP

 

As the look back authentication/synchronization time is 0, the tolerance window is small. This is applicable when the client device(mobile app or desktop client) time is behind the Strong Auth Server time(DB time) by few seconds or user delays to submit the OTP by few moments. This small time difference results in Invalid OTP error.

 

Resolution:

Follow below steps to configure the server tolerance for small time difference between server and client device

1. Log in as Global Administrator.

2. Click the Services and Server Configurations tab on the main menu.

3. Click the CA Strong Authentication tab in the submenu.

4. Under the CA Mobile OTP-OATH section, click the Authentication link to display the CA Mobile OTP-OATH Authentication Policy page.

5. Now create/update the Policy Configuration section and increase values of below configurations.

   - Authentication Look Back Count

   - Synchronization Look Back Count 

   You can use the same value as Authentication Look Ahead Count(default 10) and Synchronization Look Ahead Count(default 100).

 

Additional Information:

Detailed guide of this configuration is available in CA Strong authentication wiki pages. Below is the link to this page

Configuring CA Auth ID OTP (OATH-Compliant) Authentication Policy

 

NOTE: This is one of the commonly faced issues with newly created setup. There can be other reasons for Invalid OTP. e.g. DB time or mobile time is actually incorrect beyond the tolerance window.

Environment

Release: ARCWFT05900-8-Arcot-WebFort-for Windows
Component: