Customers have sometimes raised security concerns when a older TOTP (Time-Based One-Time Password) token can be authenticated with. Customers may request that a Authentication window for the oldest TOTP token may not exceed say 2 minutes. This document will discuss the settings via the CA Advanced Authentication Admin Console that allows one to set the expiry time for such tokens. In the example discussed any token that is older than 2 minutes will not authenticate.
Production
At a high level, for a two-factor authentication user will first enter username and password in into a website which will generate a TOTP token using OATH algorithm running locally on a smartphone or another device. The TOTP password is then also presented to the server and server will also run TOTP algorithm to verify the provided TOTP password. Note that for the verification of a TOTP token to work correctly the user device (for example a smartphone) needs to be roughly time synchronized with the server. The server side can be configured to allow to accept TOPT tokens within certain time intervals only.
Taking a specific example where customer requirement is that no TOTP token more than 2 minutes old (as Time Step for TOTP issuance profile is configured as 60 seconds – 1 minute in the Admin Console screen shot attached below in Issuance discussion) be Authenticated then a setting like below is suggested for a 2 minute interval.
Below Issuance Profile and Authentication Policy screen settings are discussed.
1. Login as Global Admin
2. Click on "Services and Server Configuration" tab.
3. Click on "Strong Authentication" tab.
4. To set the issuance Profile's "Time Step" that controls how many seconds elapse before a new TOTP token is generated on your say smartphone. On the left hand side, under the "CA Mobile OTP (ArcotOTP-OATH) click on the "Issuance" to arrive on the "CA Mobile OTP (ArcotOTP- OATH) Profiles" screen as shown below. Please set "Token Type" as "TOTP" and "Time Step" as "60" as shown below. Then click on "Save".
<Please see attached file for image>
src="/servlet/servlet.FileDownload?file=0150c000004AKGAAA4" alt="Totp2.jpg" width="1192" height="790">
5. To set up the required Authentication policy counters, on the left hand side, under the "CA Mobile OTP (ArcotOTP-OATH) click on the "Authentcation" to arrive on the "CA Mobile OTP (ArcotOTP- OATH) Authentication Policy" screen as shown below.
6. Essentially set the counters -OTPCounterAuthLookAhead, OTPCounterAuthLookBack, OTPCounterReSyncLookBack and OTPCounterReSyncLookAhead to 1 (for this specific case where TOTP tokens that are older than 2 minutes will NOT authenticate)
7. On the left hand side, under the "CA Mobile OTP (ArcotOTP-OATH) click on the "Authentcation" to arrive on the "CA Mobile OTP (ArcotOTP- OATH) Authentication Policy" screen as shown below.
8. Essentially set the counters -OTPCounterAuthLookAhead, OTPCounterAuthLookBack, OTPCounterReSyncLookBack and OTPCounterReSyncLookAhead to 1 (for this specific case where TOTP tokens that are older than 2 minutes will NOT authenticate)
OTPCounterAuthLookAhead : 1
OTPCounterAuthLookBack : 1
OTPCounterReSyncLookAhead : 1
OTPCounterReSyncLookBack : 1
<Please see attached file for image>
src="/servlet/servlet.FileDownload?file=0150c000004AKG9AAO" alt="Totp1.jpg" width="1175" height="649">
None.