[Freeipa-users] OTP and time step size

Petr Vobornik pvoborni at redhat.com
Fri Apr 29 11:34:48 UTC 2016 

On 04/29/2016 12:37 PM, Prashant Bapat wrote:
> Hi Petr,
> 
> Thanks for the response. But my question was more towards the cases where there 
> is a slight delay in entering the OTP in the web UI and it reaching the IPA 
> server. This actually can happen with ANY time window.
> 
> There are couple of scenarios.
> 
> 1. Network delays.
> 2. User enters the OTP token and takes a few seconds before pressing submit.

> 3. User has to enter OTP first and then the password. This is the case when 
> changing password in IPA at the moment when OTP is on.

Actually password change scenario is:
1. oldpassword + otp
2. old password + otp2 + new password + confirm new password

> 
> Is there a way to make IPA honor either the current token (obviously!) or 1 
> elapsed token?

Actually it may be done this way, but I'm not sure.

> 
> This will go a long way in making FreeIPA's OTP implementation much more usable.

Either way, as I said in the previous mail, try HOTP tokens. They don't
use time windows and therefore the above is not an issue.

> 
> Thanks.
> --Prashant
> 
> On 25 April 2016 at 21:48, Petr Vobornik <pvoborni at redhat.com 
> <mailto:pvoborni at redhat.com>> wrote:
> 
>     On 04/22/2016 08:55 AM, Prashant Bapat wrote:
>     > Hi,
>     >
>     > We have been using the OTP feature of FreeIPA extensively for users to login to
>     > the web UI. Now we are rolling out an external service using the LDAP
>     > authentication based on FreeIPA and OTP.
>     >
>     > End users typically login rarely to the web UI. Only to update their SSH keys
>     > once in 90 days.
>     >
>     > However to the new service based on FreeIPA's LDAP they would be logging in
>     > multiple times daily.
>     >
>     > Here is an observation: FreeIPA's OTP mechanism is very stringent in requiring
>     > the current token to be inside the 30 second window. Because of this there might
>     > be a sizable percentage of users who will have to retry login. Obviously, this
>     > is a bad user experience.
>     >
>      > As per the RFC-6238 <http://www.rfc-base.org/txt/rfc-6238.txt> section
>     5.2, we
>     > could allow 1 time step and make the user experience better.
>     >
>     > Can this be done by changing a config or does it involve a patch/code-change.
>     > Any pointers to this appreciated.
>     >
>     > Thanks.
>     > --Prashant
>     >
> 
>     FreeIPA works with both time based OTP tokens(TOTP) and counter based
>     OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator
>     can set custom clock interval during creation of a token. But
>     self-service Web UI doesn't show this option. Users can still use it in
>     CLI though.
> 
>     Alternative is HOTP which doesn't use time interval and there the UX
>     issue is not there. It can be also created in user self service.
>     --
>     Petr Vobornik
> 
> 


-- 
Petr Vobornik

More information about the Freeipa-users mailing list