Configure OTP Device Synchronization
Automatic Resynchronization at Authentication
By default, the parameters for "Automatic resync at Authentication" are defined in the initial ActivID Appliance configuration.
To change these parameters, the following options are available depending on your device, credential type and the authentication mode used:
The following table describes the Automatic Resynchronization at Authentication Parameters
Devices | Credential Type | AUTH MODE | Method | |
---|---|---|---|---|
|
Set Auto Sync Flag | Edit Credential Adapter Parameters | ||
ActivIdentity Hardware devices (with SDBCRED credential adapter) |
CT_AIAT CT_AIAEOE |
PAP |
If the flag autosync is set, sync windows are automatically extended to:
|
The default window is If the flag autosync is not set, you can define a synchronization window superior to the default window using these parameters for the large windows:
|
OATH hardware and Soft Token devices
(with OATHCRED credential adapter) |
CT_AIOT CT_AIOE CT_OATH CT_AST_XXX CT_ST_XXX |
PAP |
If the flag autosync is set, sync windows are automatically extended to:
|
The default window is +-20 time steps for TOTP, and 10 counter values for HOTP. If the flag autosync is not set, you can define a synchronization window superior to the default window using these parameters for the large windows:
|
All devices |
CHAP/ MSCHAP |
Autosync flag is not applicable |
You can define a small and a large synchronization windows using these parameters:
The small window is just used to optimize the OTP verification. The small window is tried first and, only if it fails, the server will use the large window to verify the OTP. |
Edit the Credential Adapter Parameters
For the credential adapter, you can define the synchronization windows to be used when checking the OTP. These windows will be used when either one of them (or both of them) exceed the default ones.
-
Find the Credential Type used by your device.
-
Edit the associated Credential Type adapter and OTP synchronization parameters as required:
Credential Type Adapter Parameters Extending the Time Resync Window to 10 min (+/- 5 min) for a Time Device with a Granularity of 6 Extending the Event Resync Window to 20 for an Event Device Time Start From (For the small OTPWindow)
-2
Time End To (For the small OTPWindow)
2
Time Start From (For the large OTPWindow)
-10
Time End To (For the large OTPWindow)
10
Time Increment By
Important: You must set this value according to the device's time granularity.32
Event End To (For Small OTPWindow)
10
Event End To (For Large OTPWindow)
20
-
In CHAP mode, the small window will be used first to generate OTPs (to optimize the process) and, if it fails, the larger window will then be used to generate OTPs (to compare with the received hash).
-
In PAP mode, if the large window in the credential type adapter is used, the clock round will cause the “effective” window to be slightly larger than the one theoretically set. OTPs generated by a device within the same time step will be the same (that is, an OTP generated in the very first second of a time step will be the same as that generated in the very last second). As a result, the exact validity of an OTP will vary of up to 1 time step, depending on the exact time of its generation and of its verification.
This is true (and by design) for all time-based OTP algorithms, both ActivIdentity and OATH/TOTP.
Set Auto Sync Flag (for PAP Mode Only)
When importing or activating your devices, you can increase the synchronization window by using an auto sync flag. It can be set to the 3 values below.
0: Default means no extension
1: Increased synch window at first use
2: Increased synch window
When values 1 or 2 are used, the extended synchronization windows will be set to hard-coded values shown in The following table describes the Automatic Resynchronization at Authentication Parameters.
You can set the flag when importing your hardware devices in the ActivID Management Console:
In the Import Device screen set the Auto synchronization configuration option to either:
-
Increased sync window at first use or
-
Increased sync window.
Resynchronization Using ActivID Management Console
The Automatic and manual resync through ActivID Management Console parameters are defined by default in the initial ActivID Appliance configuration.
To change these parameters and adapt them as required, you can follow the procedures below for the Automatic resync and the manual resync options.
Automatic Resync Option Parameters
During automatic resynchronization through the ActivID Management Console the following parameters are used and can be configured as required:
Device Type Parameters | Example for a Time Device (DT_MIN_OT) | Example for an Event device (DT_MIN_OE) |
---|---|---|
Synchronization Mode |
“Support All” or “Only Automatic” |
“Support All” or “Only Automatic” |
Base Synchronization Mode |
“Both” or “Clock” |
“Both” or “Counter” |
Time Offset Start (seconds) |
-3600 |
|
Time Offset End (seconds) |
3600 |
|
Counter range |
|
200 |
Device Type Adapter Parameters |
Example for a Time Device (DT_MIN_OT) |
Example for an Event device (DT_MIN_OE) |
Auto resynch credentials to use |
CT_AIOT |
CT_AIOE |
Manual Resync Option Parameters
During manual resynchronization through the ActivID Management Console, the following parameters are used and must be configured as required:
Device Type Parameters | Example for a Time Device | Example for an Event device |
---|---|---|
Synchronization Mode |
“Support All” or “Only Manual” |
“Support All” or “Only Manual” |
Base Synchronization Mode |
“Both” or “Clock” |
“Both” or “Counter” |
Device Type Adapter Parameters |
Example for a Time Device |
Example for an Event device |
Manual resynch credentials to use |
CT_AIOT |
CT_AIOE |
Once these parameters are set, enter the following information in the ActivID Management Console to resynchronize the device:
-
CLOCK Value displayed on device
-
COUNTER Value displayed on device