TOPT users getting authenticated with old tokens? How to tailor the Authentication window such that any token older than 2 minutes is not authenticated ?

Document ID : KB000008778
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Background

Customers have sometimes raised security concerns when a older TOPT (Time-Based One-Time Password) token can be authenticated with. Customers may request that a Authentcation window for the oldest TOPT token may not exceed say 2 minutes. This document will discuss the settings via the CA Arcot Admin Console that allows one to set the expiry time for such tokens. In the example discussed any token that is older than 2 minutes will not authenticate. 

 

Environment:
Production
Cause:

At a high level, for a two-factor authentication user will first enter username and password in into a website which will generate a TOTP token using TOTP algorithm running locally on a smartphone or another device. The TOTP password is then also presented to the server and server will also run TOTP algorithm to verify the provided TOTP password.  Note that for the verification of a TOTP token to work correctly the user device (for example a smartphone) needs to be roughly time synchronized with the server. The server side can be configured to allow to accept TOPT tokens within certain time intervals only.  CA Arcot TOTP solution allows for such configuration. 

Resolution:

Taking a specific example where customer requirement is that no TOTP token more than 2 minutes old (as Time Step for TOTP issuance profile is configured as 60 seconds – 1 minute in the Admin Console screen shot attached below in Issuance discussion) be Authenticated then a setting like below is suggested for a 2 minute interval. 

 

Below Issuance Profile and Authentication Policy screen settings are discussed. 

1. Login as Global Admin

2.  Click on "Services and Server Configuration" tab.

3. Click on "Strong Authentication" tab. 

4.  To set the issuance Profile's "Time Step" that controls how many seconds elapse before a new TOTP token is generated on your say smartphone. On the left hand side, under the "CA Mobile OTP (ArcotOTP-OATH) click  on the "Issuance"  to arrive on the "CA Mobile OTP (ArcotOTP- OATH) Profiles" screen as shown below.  Please set "Token Type" as "TOTP" and "Time Step" as "60" as shown below. Then click on "Save". 

Totp2.jpg

5. To set up the required Authentication policy counters, on the left hand side, under the "CA Mobile OTP (ArcotOTP-OATH) click  on the "Authentcation"  to arrive on the "CA Mobile OTP (ArcotOTP- OATH) Authentication Policy" screen as shown below. 

6. Essentially set the counters -OTPCounterAuthLookAhead, OTPCounterAuthLookBack, OTPCounterReSyncLookBack and OTPCounterReSyncLookAhead  to 1 (for this specific case where TOTP tokens that are older than 2 minutes will NOT authenticate) 

7.  On the left hand side, under the "CA Mobile OTP (ArcotOTP-OATH) click  on the "Authentcation"  to arrive on the "CA Mobile OTP (ArcotOTP- OATH) Authentication Policy" screen as shown below. 

8. Essentially set the counters -OTPCounterAuthLookAhead, OTPCounterAuthLookBack, OTPCounterReSyncLookBack and OTPCounterReSyncLookAhead  to 1 (for this specific case where TOTP tokens that are older than 2 minutes will NOT authenticate) 

OTPCounterAuthLookAhead : 1 

OTPCounterAuthLookBack : 1 

OTPCounterReSyncLookAhead : 1 

OTPCounterReSyncLookBack : 1 

 

Totp1.jpg

 

 

 

 

Additional Information:

None.