Synchronizing OTP Devices
Synchronous authentication devices implement a system of one-time passwords by creating a sequence of passwords that are synchronized in some manner with host systems.
ActivID Appliance supports synchronization between a device and a host system by means of a clock or counter mechanism, or both. Each synchronous device (for example, an ActivID Token or a Mini Token) has a clock, a counter, or both. The clock is synchronized with the internal system clock of the host system. The counter is synchronized with the individual counter held for that device on the host system.
The one-time password generated by the device is a function of the device clock or counter values, or both. When the device and the host system are synchronized, the host successfully recreates the one-time password and authenticates the user.
However, a device can become out of synchronization with a host system. In this case, the host system cannot successfully recreate the one-time password and the user cannot be authenticated by using the device. The device must be re-synchronized with the host system. Depending upon the device, it can be re-synchronized automatically or manually.
Authentication Process
The authentication process using devices can be briefly summarized in the following steps:
-
The user enters an OTP derived from the device clock and counter.
-
ActivID Appliance checks the OTP using clock and/or event counter values defined by:
-
Allowed clock offset (that is, to handle the clock drift of a hardware device)
-
Allowed counter difference (that is, when the user generated some OTPs on his device without using them to authenticate)
-
-
If the OTP is valid, ActivID Appliance authenticates the user (and resynchronizes the event and clock counters for the user’s device, if needed).
ActivID Appliance enables users to authenticate with their devices using authentication methods such as PAP or MSCHAP/CHAP:
-
PAP authentication – the OTP is directly sent to the authentication server. The server checks the value within the range of allowed values.
-
MSCHAP/CHAP authentication – the hash of the OTP is sent to the authentication server. The server generates OTPs within the allowed range and hashes them to find one that matches with the received hash.
Devices Time Granularity
The device's clock granularity has an impact on the synchronization process. Time granularity defines the particles of times during which the OTP remains the same when generated by the device.
-
For devices using the HID-patented Synchronous Authentication algorithm (HID and ActivIdentity devices):
- If granularity=8, the time step is 2^8 half seconds = 256*0.5 = 128s (OTP remains the same for 128s).
- If granularity=6, the time step is 2^6 half seconds = 64*0.5 = 32s (OTP remains the same for 32s).
-
For devices using the OATH time-based (TOTP) algorithm, the granularity is equal to the time step and is usually equal to 30 seconds.
For information on how to set all parameters linked to Time granularity according to your device Time granularity value, see Method 1: Automatic resynchronization at authentication and Resynchronization Using ActivID Management Console.
Device Synchronization Methods
There are two methods to make sure devices remain synchronized with ActivID Appliance:
Each time the user authenticates, resynchronization is made using:
- The default basic synchronization window
- An extended synchronization window (if it has been configured, and if the resynchronization failed with default window)
The default window cannot be changed (except for except for OATH devices imported with PSKC files as per note below) and a first check will be made against it. However, various methods can be used to repeat the resynchronization attempt using an extended window when the resynchronization fails using the default window.
The following table describes the default basic Synchronization Window
Devices | Default Window | Comment | Example |
---|---|---|---|
HID Synchronous Authentication (AI) devices |
[-5,+4] *time steps |
The value cannot be changed. |
If the user’s devices clock is 8 minutes ahead of the server clock (or 10 minutes behind), the server will resynchronize the device successfully (with a clock granularity of 8). |
OATH event-based devices (HOTP) |
10 |
For more information, refer to Configure Credential Types. |
If the user generates 9 OTPs on a device without using them, the server will resynchronize the device successfully when the user authenticates with the 10th OTP. |
OATH time-based devices (TOTP) |
20 |
For more information, refer to Configure Credential Types. |
If the user’s device clock is 10 minutes ahead of the server clock (or 10 minutes behind), the server will resynchronize the device successfully (with a time step equal to 30 seconds). |
Either you can executed this operation or the user can in the ActivID Self-Service Portal.
-
Automatic resynchronization – you can either enter the device OTP value in the ActivID Management Console Device Synchronization menu or the user selects the “I have a problem” option in the ActivID Self-Service Portal menu (refer to the ActivID Self-Service Portal User Guide available from the ActivID Customer Portal).
- Manual resynchronization – enter the clock and counter values in the ActivID Management Console Device Synchronization menu.
Topics in this section: