[Freeipa-users] OTP and time step size
Petr Vobornik
pvoborni at redhat.com
Fri Apr 29 11:34:48 UTC 2016
On 04/29/2016 12:37 PM, Prashant Bapat wrote:
> Hi Petr,
>
> Thanks for the response. But my question was more towards the cases where there
> is a slight delay in entering the OTP in the web UI and it reaching the IPA
> server. This actually can happen with ANY time window.
>
> There are couple of scenarios.
>
> 1. Network delays.
> 2. User enters the OTP token and takes a few seconds before pressing submit.
> 3. User has to enter OTP first and then the password. This is the case when
> changing password in IPA at the moment when OTP is on.
Actually password change scenario is:
1. oldpassword + otp
2. old password + otp2 + new password + confirm new password
>
> Is there a way to make IPA honor either the current token (obviously!) or 1
> elapsed token?
Actually it may be done this way, but I'm not sure.
>
> This will go a long way in making FreeIPA's OTP implementation much more usable.
Either way, as I said in the previous mail, try HOTP tokens. They don't
use time windows and therefore the above is not an issue.
>
> Thanks.
> --Prashant
>
> On 25 April 2016 at 21:48, Petr Vobornik <pvoborni at redhat.com
> <mailto:pvoborni at redhat.com>> wrote:
>
> On 04/22/2016 08:55 AM, Prashant Bapat wrote:
> > Hi,
> >
> > We have been using the OTP feature of FreeIPA extensively for users to login to
> > the web UI. Now we are rolling out an external service using the LDAP
> > authentication based on FreeIPA and OTP.
> >
> > End users typically login rarely to the web UI. Only to update their SSH keys
> > once in 90 days.
> >
> > However to the new service based on FreeIPA's LDAP they would be logging in
> > multiple times daily.
> >
> > Here is an observation: FreeIPA's OTP mechanism is very stringent in requiring
> > the current token to be inside the 30 second window. Because of this there might
> > be a sizable percentage of users who will have to retry login. Obviously, this
> > is a bad user experience.
> >
> > As per the RFC-6238 <http://www.rfc-base.org/txt/rfc-6238.txt> section
> 5.2, we
> > could allow 1 time step and make the user experience better.
> >
> > Can this be done by changing a config or does it involve a patch/code-change.
> > Any pointers to this appreciated.
> >
> > Thanks.
> > --Prashant
> >
>
> FreeIPA works with both time based OTP tokens(TOTP) and counter based
> OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator
> can set custom clock interval during creation of a token. But
> self-service Web UI doesn't show this option. Users can still use it in
> CLI though.
>
> Alternative is HOTP which doesn't use time interval and there the UX
> issue is not there. It can be also created in user self service.
> --
> Petr Vobornik
>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list