[RADIATOR] TOTP clock drift tracking
Heikki Vatiainen
hvn at open.com.au
Tue Aug 21 05:17:58 CDT 2012
On 08/20/2012 02:10 PM, Roy Badami wrote:
> Does the RADIATOR TOTP implementation support clock drift tracking in a
> similar way to the functionality of proprietory tokens (and as briefly
> described under 'resynchronization' in the TOTP ID/RFC)?
Hello Roy,
the TOTP implementation does not currently support this. This would
require some additional code and the TOTP database table would need an
additional column for storing the per token time +/- adjustment. It
might also be a good idea to make this something that can be turned on
selectively if the token needs it. Per token support would also keep
server's clock drift causing problems with all tokens. There might be
other things to consider too.
So support for this would be possible to implement if required and after
some more thought is given to how to exactly do it.
> I'm interested in the low cost TOTP hardware tokens that are now
> available (such as the Feitian c200, which costs about 10 Euros) as a
> possible alternative to Vasco tokens, but as with most hardware tokens
> there is no way to set the clock, so the ability for the server to
> compensate for clock drift is a requirement.
The default settings allow for 30 second clock drift (DelayWindow 1,
TimeStep 30). I am not aware of reports with clock drift being a
problem, so it would be interesting to hear how well the HW tokens keep
the time.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list