We plan to use OTP in our company.
Everything is fine except I don't understand these two parameters:
Maximum passcode offset: Maximum initial passcode offset
I read the definitions:
But I just don't get it.
Can someone explain me with examples ?
You're right. Another example of an engineer writing documentation that he understands is correct, but is impenetrable for others that don't already know what he's saying.
Cheers - Bob
Glad to see that I'm not the only one :)
I read this about 10 times but I just don't get it.
For the moment I let the defaut values but I will be glad if it could be explained.
Hello DeltaSM ,Thank you for reaching out to the community, timestep settings:#Default token timestep - 30sThe interval in seconds at which new OTP codes are generated.#Maximum passcode offset - 1Maximum number of timesteps an earlier or later verification code remains valid. #Maximum initial passcode offset:The maximum offset in which the initially generated code can be usedDefault: 10
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
I think you will understand this, if you read the complete section about OTP timesteps.
The first thing you need to know is that time has to be in sync between UTM and OTP tokens, being it hardware or software tokens.
As this is sometimes not accurate enough, there is a tolerance allowed.
Next thing , there is a "timestep" defined be the hardware supplier, this is normally either 30 or 60 seconds. This is your intervall between the changes of the OTP codes (the "timestep").
Have a look here: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/AuthServicesOneTimePassword.htm
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Sorry guys, I stand by my comment. Even though I know how this works, the description isn't written for users. It's a programmer describing his work to other programmers in the same group. Certainly, no documentalist would have written that description.
Bob, I agree.
Just tried to explain to DeltaSM.
Hello jprusch and Vivek Jagad ,Thank you for your answers but as BAlfson I still don't get it. I read the documentation several times but I need an example to figure it out.
I understand OTP in general and I already use hardware tokens and also auto generated tokens but I don't understand what these two programmers are standing for. So I let them by default for now.Maybe do you have one for both parameters? Thank you for your time !
Hey DeltaSM ,considering the following settings:#Default token timestep - 30s -->> Meaning this is a token/otp validity before it regenerate on your G-Auth or Microsoft authenticator. #Maximum passcode offset - 3 -->> timesteps an earlier or later verification code remains valid, For example, if you specify a value of 3 and the timestep is 30 seconds, the client can use any passcode from the previous 90 seconds or the subsequent 90 seconds as long as the code was not already used. [Number of passcodes outside of defined timestep that will be accepted]#Maximum initial passcode offset: - 10 ..>> Maximum number of timesteps by which the clock of a token can drift between client and server for the first sign-in only. Means if you for example set 10 steps you restrict the clock of a token to drift no more than 10 seconds between two logins. [For first authentication process, token be be out-of-sync in an extreme way. Here admin can configure how many offset passcodes should be accepted. After successful authentication, offset is aligned, that means that next passcode of toke will be in-sync.]
Thank you very much for this ! :)