[Freeipa-users] OTP and time step size
Petr Vobornik
pvoborni at redhat.com
Mon Apr 25 16:18:51 UTC 2016
On 04/22/2016 08:55 AM, Prashant Bapat wrote:
> Hi,
>
> We have been using the OTP feature of FreeIPA extensively for users to login to
> the web UI. Now we are rolling out an external service using the LDAP
> authentication based on FreeIPA and OTP.
>
> End users typically login rarely to the web UI. Only to update their SSH keys
> once in 90 days.
>
> However to the new service based on FreeIPA's LDAP they would be logging in
> multiple times daily.
>
> Here is an observation: FreeIPA's OTP mechanism is very stringent in requiring
> the current token to be inside the 30 second window. Because of this there might
> be a sizable percentage of users who will have to retry login. Obviously, this
> is a bad user experience.
>
> As per the RFC-6238 <http://www.rfc-base.org/txt/rfc-6238.txt> section 5.2, we
> could allow 1 time step and make the user experience better.
>
> Can this be done by changing a config or does it involve a patch/code-change.
> Any pointers to this appreciated.
>
> Thanks.
> --Prashant
>
FreeIPA works with both time based OTP tokens(TOTP) and counter based
OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator
can set custom clock interval during creation of a token. But
self-service Web UI doesn't show this option. Users can still use it in
CLI though.
Alternative is HOTP which doesn't use time interval and there the UX
issue is not there. It can be also created in user self service.
--
Petr Vobornik
More information about the Freeipa-users
mailing list