The device registration process is not complete until the user submits a one-time authentication code that was generated using the secret key on the registration page, and the server validates it. The Google Authenticator app generates a 6-digit code, and the user enters the code on the Authentication Code page. In Google Authenticator, the user scans the Quick Response (QR) code displayed on the browser, or manually enters the security key. On the mobile device, the user starts Google Authenticator and adds an account for CloudAccess. TOTP creates a secret key for the user and displays it in text and Quick Response (QR) code format in the computer web browser. The ReCAPTCHA is not used if the OTP is incorrect. If you enable both the Google ReCAPTCHA tool and the TOTP tool in CloudAccess, ReCAPTCHA works only for the user’s login password, and not for the one-time password. Shorter validity times are considered to be more secure than longer ones. You can specify integer values from 2 to 10. The validity window is 2.5 minutes before and 2.5 minutes after the password’s received timestamp, plus 30 seconds. A time-step is 30-seconds.įor the TOTP tool, the default validity time setting is 5 minutes. To allow for time differences, the Validity Time setting allows a submitted OTP to be considered valid if it matches a server-generated OTP for any time-step that occurs in a specified validity window centered on its received timestamp, plus 30 seconds. Common causes include clock time drift, network latency, and slow data entry. Time differences between the TOTP validation server and a mobile device can result in a mismatch of the OTP, and subsequent login failure. Users should synchronize the clocks on their mobile devices with their service providers’ networks, which are typically aligned with atomic clocks. If you cluster the CloudAccess appliances, ensure that the member nodes in the cluster point to the same centrally located time server. To minimize time drift, you should configure the network time protocol (NTP) on the CloudAccess appliance so its clock stays accurate. The TOTP algorithm assumes that the system times are synchronized. With time-based OTP, the TOTP validation server and software-token app use their respective system times to generate OTPs. The entered code is sent securely to CloudAccess through HTTPS (Secure HTTP) encryption on TCP port 443. It cannot be easily duplicated and reused elsewhere. Each OTP is intended for use by only one user, is valid for a specific period of time, and becomes invalid after the user successfully logs in. The one-time password secret keys, code generation, and code verification are based on the industry standard HMAC-SHA1 token algorithm that is defined in the IETF RFC 6238.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |