[RADIATOR] TOTP clock drift tracking
Roy Badami
roy.badami at roboreus.com
Tue Aug 21 07:33:08 CDT 2012
On 21/08/2012 11:17, Heikki Vatiainen wrote:
> The default settings allow for 30 second clock drift (DelayWindow 1,
> TimeStep 30). I am not aware of reports with clock drift being a
> problem, so it would be interesting to hear how well the HW tokens
> keep the time.
Vasco tokens certainly need this (and RADIATOR supports this - although
it is implemented by the Vasco libraries rather than by RADIATOR
itself). The default parameters in RADIATOR are such as to allow quite
a lot of clock drift - see the ITimeWindow and SyncWindow parameters to
AuthBy SQLDIGIPASS. If you have a Digipass token set up with RADIATOR
you can view the current clock drift for it using "digipass.pl info" - I
seem to recall it was not unusual for tokens to drift by many minutes.
I'm not sure how commonplace TOTP (rather than HOTP) hardware tokens are
at the moment - which might be why you haven't had reports of problems -
but I'd be surprised if they were somehow immune to clock drift. In any
case, we're probably going to go with Digipass GO-6 tokens for our first
batch as they're a known quantity and I'm familliar with using Vasco
tokens with RADIATOR - and we will revisit OAUTH tokens at a later date.
Regards
roy
--
Roy Badami
Roboreus Ltd
Third Floor
The Place
175 High Holborn
London WC1V 7AA
More information about the radiator
mailing list