One-Time Password - Questions about offset configuration

Question

Hello, 
 We plan to use OTP in our company. 
 Everything is fine except I don't understand these two parameters: 
 Maximum passcode offset: Maximum initial passcode offset 
 I read the definitions: 
 
 But I just don't get it. 
 Can someone explain me with examples ? 
 Regards :)

Vivek Jagad · Accepted Answer

Hey DeltaSM , considering the following settings: # Default token timestep - 30s -->> Meaning this is a token/otp validity before it regenerate on your G-Auth or Microsoft authenticator. # Maximum passcode offset - 3 -->> timesteps an earlier or later verification code remains valid, For example, if you specify a value of 3 and the timestep is 30 seconds, the client can use any passcode from the previous 90 seconds or the subsequent 90 seconds as long as the code was not already used. [ Number of passcodes outside of defined timestep that will be accepted] # Maximum initial passcode offset : - 10 ..>> Maximum number of timesteps by which the clock of a token can drift between client and server for the first sign-in only. Means if you for example set 10 steps you restrict the clock of a token to drift no more than 10 seconds between two logins. [For first authentication process, token be be out-of-sync in an extreme way. Here admin can configure how many offset passcodes should be accepted. After successful authentication, offset is aligned, that means that next passcode of toke will be in-sync.]

Vivek Jagad · Answer

Hello DeltaSM , Thank you for reaching out to the community, timestep settings: # Default token timestep - 30s The interval in seconds at which new OTP codes are generated. # Maximum passcode offset - 1 Maximum number of timesteps an earlier or later verification code remains valid. # Maximum initial passcode offset : The maximum offset in which the initially generated code can be used Default: 10

PhilippRusch · Answer

I think you will understand this, if you read the complete section about OTP timesteps. 
 The first thing you need to know is that time has to be in sync between UTM and OTP tokens, being it hardware or software tokens. 
 As this is sometimes not accurate enough, there is a tolerance allowed. 
 Next thing , there is a "timestep" defined be the hardware supplier, this is normally either 30 or 60 seconds. This is your intervall between the changes of the OTP codes (the "timestep"). 
 Have a look here: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/AuthServicesOneTimePassword.htm

One-Time Password - Questions about offset configuration

Top Replies