search cancel

Advanced Authentication TOTP users getting authenticated with old tokens? How to tailor the Authentication window such that any token older than 2 minutes is not authenticated ?

book

Article ID: 8778

calendar_today

Updated On:

Products

CA Advanced Authentication CA Strong Authentication CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)

Issue/Introduction

Customers have sometimes raised security concerns when a older TOTP (Time-Based One-Time Password) token can be authenticated with. Customers may request that a Authentication window for the oldest TOTP token may not exceed say 2 minutes. This document will discuss the settings via the CA Advanced Authentication Admin Console that allows one to set the expiry time for such tokens. In the example discussed any token that is older than 2 minutes will not authenticate. 

 

Environment

Production

Cause

At a high level, for a two-factor authentication user will first enter username and password in into a website which will generate a TOTP token using OATH algorithm running locally on a smartphone or another device. The TOTP password is then also presented to the server and server will also run TOTP algorithm to verify the provided TOTP password.  Note that for the verification of a TOTP token to work correctly the user device (for example a smartphone) needs to be roughly time synchronized with the server. The server side can be configured to allow to accept TOPT tokens within certain time intervals only.  

Resolution

Taking a specific example where customer requirement is that no TOTP token more than 2 minutes old (as Time Step for TOTP issuance profile is configured as 60 seconds – 1 minute in the Admin Console screen shot attached below in Issuance discussion) be Authenticated then a setting like below is suggested for a 2 minute interval. 

Below Issuance Profile and Authentication Policy screen settings are discussed. 

1. Login as Global Admin

2.  Click on "Services and Server Configuration" tab.

3. Click on "Strong Authentication" tab. 

4.  To set the issuance Profile's "Time Step" that controls how many seconds elapse before a new TOTP token is generated on your say smartphone. On the left hand side, under the "CA Mobile OTP (ArcotOTP-OATH) click  on the "Issuance"  to arrive on the "CA Mobile OTP (ArcotOTP- OATH) Profiles" screen as shown below.  Please set "Token Type" as "TOTP" and "Time Step" as "60" as shown below. Then click on "Save". 

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKGAAA4" alt="Totp2.jpg" width="1192" height="790">

5. To set up the required Authentication policy counters, on the left hand side, under the "CA Mobile OTP (ArcotOTP-OATH) click  on the "Authentcation"  to arrive on the "CA Mobile OTP (ArcotOTP- OATH) Authentication Policy" screen as shown below. 

6. Essentially set the counters -OTPCounterAuthLookAhead, OTPCounterAuthLookBack, OTPCounterReSyncLookBack and OTPCounterReSyncLookAhead  to 1 (for this specific case where TOTP tokens that are older than 2 minutes will NOT authenticate) 

7.  On the left hand side, under the "CA Mobile OTP (ArcotOTP-OATH) click  on the "Authentcation"  to arrive on the "CA Mobile OTP (ArcotOTP- OATH) Authentication Policy" screen as shown below. 

8. Essentially set the counters -OTPCounterAuthLookAhead, OTPCounterAuthLookBack, OTPCounterReSyncLookBack and OTPCounterReSyncLookAhead  to 1 (for this specific case where TOTP tokens that are older than 2 minutes will NOT authenticate) 

OTPCounterAuthLookAhead : 1 

OTPCounterAuthLookBack : 1 

OTPCounterReSyncLookAhead : 1 

OTPCounterReSyncLookBack : 1 

 

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKG9AAO" alt="Totp1.jpg" width="1175" height="649">

 

 

 

 

Additional Information

None. 

Attachments

1558700862208000008778_sktwi1f5rjvs16p8g.jpeg get_app
1558700860218000008778_sktwi1f5rjvs16p8f.jpeg get_app