Configure OTP Device Synchronization

Automatic Resynchronization at Authentication

By default, the parameters for "Automatic resync at Authentication" are defined in the initial ActivID Appliance configuration.

To change these parameters, the following options are available depending on your device, credential type and the authentication mode used:

The following table describes the Automatic Resynchronization at Authentication Parameters

Devices Credential Type AUTH MODE Method

 

Set Auto Sync Flag Edit Credential Adapter Parameters

ActivIdentity Hardware devices

(with SDBCRED credential adapter)

CT_AIAT

CT_AIAEOE

PAP

If the flag autosync is set, sync windows are automatically extended to:

  • Counter: 30

  • Time offset =+/-3600s

The default window is
[-5,+4] time steps and 10 counter values.

If the flag autosync is not set, you can define a synchronization window superior to the default window using these parameters for the large windows:

  • Time Start/End

  • Time increment

  • Event End

OATH hardware and Soft Token devices

 

(with OATHCRED credential adapter)

CT_AIOT

CT_AIOE

CT_OATH CT_AST_XXX

CT_ST_XXX

PAP

If the flag autosync is set, sync windows are automatically  extended to:

  • Counter: 30

  • Time offset =+/-3600s

The default window is +-20 time steps for TOTP, and 10 counter values for HOTP.

If the flag autosync is not set, you can define  a synchronization window superior to the default window using these parameters for the large windows:

  • Time Start/End

  • Time increment

  • Event End

All devices

CHAP/ MSCHAP

Autosync flag is not applicable

You can define a small and a large synchronization windows using these parameters:

  • Time Start/End

  • Time increment

  • Event End

The small window is just used to optimize the OTP verification. The small window is tried first and, only if it fails, the server will use the large window to verify the OTP.

Edit the Credential Adapter Parameters

For the credential adapter, you can define the synchronization windows to be used when checking the OTP. These windows will be used when either one of them (or both of them) exceed the default ones.

  1. Find the Credential Type used by your device.

  2. Edit the associated Credential Type adapter and OTP synchronization parameters as required:

    Credential Type Adapter Parameters Extending the Time Resync Window to 10 min (+/- 5 min) for a Time Device with a Granularity of 6 Extending the Event Resync Window to 20 for an Event Device

    Time Start From (For the small OTPWindow)

    -2

     

    Time End To (For the small OTPWindow)

    2

     

    Time Start From (For the large OTPWindow)

    -10

     

    Time End To (For the large OTPWindow)

    10

     

    Time Increment By

    Important: You must set this value according to the device's time granularity.

    32

     

    Event End To (For Small OTPWindow)

     

    10

    Event End To (For Large OTPWindow)

     

    20

Note:
  • In CHAP mode, the small window will be used first to generate OTPs (to optimize the process) and, if it fails, the larger window will then be used to generate OTPs (to compare with the received hash).

  • In PAP mode, if the large window in the credential type adapter is used, the clock round will cause the “effective” window to be slightly larger than the one theoretically set. OTPs generated by a device within the same time step will be the same (that is, an OTP generated in the very first second of a time step will be the same as that generated in the very last second). As a result, the exact validity of an OTP will vary of up to 1 time step, depending on the exact time of its generation and of its verification.

  • This is true (and by design) for all time-based OTP algorithms, both ActivIdentity and OATH/TOTP.

Set Auto Sync Flag (for PAP Mode Only)

When importing or activating your devices, you can increase the synchronization window by using an auto sync flag. It can be set to the 3 values below.

0: Default means no extension

1: Increased synch window at first use

2: Increased synch window

When values 1 or 2 are used, the extended synchronization windows will be set to hard-coded values shown in The following table describes the Automatic Resynchronization at Authentication Parameters.

You can set the flag when importing your hardware devices in the ActivID Management Console:

In the Import Device screen set the Auto synchronization configuration option to either:

  • Increased sync window at first use or

  • Increased sync window.

Important: The autosyncflag is not used in the CHAP/MSCHAP mode.

Resynchronization Using ActivID Management Console

The Automatic and manual resync through ActivID Management Console parameters are defined by default in the initial ActivID Appliance configuration.

To change these parameters and adapt them as required, you can follow the procedures below for the Automatic resync and the manual resync options.

Automatic Resync Option Parameters

During automatic resynchronization through the ActivID Management Console the following parameters are used and can be configured as required:

Device Type Parameters Example for a Time Device (DT_MIN_OT) Example for an Event device (DT_MIN_OE)

Synchronization Mode

“Support All” or “Only Automatic”

“Support All” or “Only Automatic”

Base Synchronization Mode

“Both” or “Clock”

“Both” or “Counter”

Time Offset Start (seconds)

-3600

 

Time Offset End (seconds)

3600

 

Counter range

 

200

Device Type Adapter Parameters

Example for a Time Device

(DT_MIN_OT)

Example for an Event device

(DT_MIN_OE)

Auto resynch credentials to use

CT_AIOT

CT_AIOE

Manual Resync Option Parameters

During manual resynchronization through the ActivID Management Console, the following parameters are used and must be configured as required:

Device Type Parameters Example for a Time Device Example for an Event device

Synchronization Mode

“Support All” or “Only Manual”

“Support All” or “Only Manual”

Base Synchronization Mode

“Both” or “Clock”

“Both” or “Counter”

Device Type Adapter Parameters

Example for a Time Device

Example for an Event device

Manual resynch credentials to use

CT_AIOT

CT_AIOE

Once these parameters are set, enter the following information in the ActivID Management Console to resynchronize the device:

  • CLOCK Value displayed on device

  • COUNTER Value displayed on device