Re: [privacyidea] Problema changing Default Time Step in TOTP token
110 views
Skip to first unread message
Message has been deleted
Cornelius Kölbel
Aug 25, 2016, 5:54:04 AM8/25/16
to priva...@googlegroups.com
OK, folks.
That is easy.
Changing the defaultTimeStep after enrolling the token?
I guess there at least 10 others out there, who can explain this! ;-)
Am Donnerstag, den 25.08.2016, 02:51 -0700 schrieb Luis Gerardo:
> Hi,
>
>
> I need to change the validity time of a TOTP token from 30 seconds to
> 60. To do this I went to Config -> TOTP Token Settings and I changed
> the Default Time Step to a value of 60 but now the codes never
> expire!!
>
>
> The Default Time Window is 180 and the Default Time Shift is 0.
>
>
> Does anyone know what I'm doing wrong?
>
>
> Thanks,
> Luis
>
>
>
>
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/039c47c0-52de-46ca-bb5f-38f7ed07088d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
That is easy.
Changing the defaultTimeStep after enrolling the token?
I guess there at least 10 others out there, who can explain this! ;-)
Am Donnerstag, den 25.08.2016, 02:51 -0700 schrieb Luis Gerardo:
> Hi,
>
>
> I need to change the validity time of a TOTP token from 30 seconds to
> 60. To do this I went to Config -> TOTP Token Settings and I changed
> the Default Time Step to a value of 60 but now the codes never
> expire!!
>
>
> The Default Time Window is 180 and the Default Time Shift is 0.
>
>
> Does anyone know what I'm doing wrong?
>
>
> Thanks,
> Luis
>
>
>
>
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/039c47c0-52de-46ca-bb5f-38f7ed07088d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
simv...@gmail.com
Aug 25, 2016, 6:08:09 AM8/25/16
to privacyidea
On Thursday, August 25, 2016 at 11:54:04 AM UTC+2, Cornelius Kölbel wrote:
OK, folks.
That is easy.
Changing the defaultTimeStep after enrolling the token?
I guess there at least 10 others out there, who can explain this! ;-)
If it's possible to change a TimeStep for a generated token from the server (privacyIDEA) also the client (example Google Authenticator) will need to know this time/period for generate/verify/authenticate token. Right?
Cornelius Kölbel
Aug 25, 2016, 6:38:16 AM8/25/16
to priva...@googlegroups.com
Sim is right. And in addition, if you change the defaultTimeStep, this
has no effect on the token. You need to change this in the token
details.
also note: The timestep does not tell, how long the OTP value is valid!
Kind regards
Cornelius
>
>
>
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/daf7fd60-c28a-4a95-b771-737695b3b9fa%40googlegroups.com.
>
>
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
Message has been deleted
Message has been deleted
Cornelius Kölbel
Aug 25, 2016, 6:55:51 AM8/25/16
to priva...@googlegroups.com
Please really improve your questioning!
What do you mean "The code don't expire"? F***** guessing here.
I am GUESSING you enrolled an HOTP token!
Are you using an App or a hardware TOTP token?
Kind regards
Cornelius
Am Donnerstag, den 25.08.2016, 03:49 -0700 schrieb Luis Gerardo:
> Hi Cornelius,
>
>
> I changed the defaultTimeStep to 60. After that I created a enrolled a
> new token but ignored the 60 seconds. When I set defaultTimeStep to 30
> seconds again and I enrolled a new token the codes don't expire. And I
> don't know what is happening :(
>
> El jueves, 25 de agosto de 2016, 11:54:04 (UTC+2), Cornelius Kölbel
> escribió:
> https://groups.google.com/d/msgid/privacyidea/99a94bd0-b931-4087-8345-79c81dc8c110%40googlegroups.com.
What do you mean "The code don't expire"? F***** guessing here.
I am GUESSING you enrolled an HOTP token!
Are you using an App or a hardware TOTP token?
Kind regards
Cornelius
Am Donnerstag, den 25.08.2016, 03:49 -0700 schrieb Luis Gerardo:
> Hi Cornelius,
>
>
> I changed the defaultTimeStep to 60. After that I created a enrolled a
> new token but ignored the 60 seconds. When I set defaultTimeStep to 30
> seconds again and I enrolled a new token the codes don't expire. And I
> don't know what is happening :(
>
> El jueves, 25 de agosto de 2016, 11:54:04 (UTC+2), Cornelius Kölbel
> escribió:
Message has been deleted
Cornelius Kölbel
Aug 25, 2016, 4:46:55 PM8/25/16
to priva...@googlegroups.com
Works as expected.
The default timewindow is imho 180 seconds.
I.e. system looks 180secs before and after to cope with drifting clocks.
I.e. if you wait 90secs, this looks like the clock of your totp token
would be late 90secs. Look at the tokens timeShift!
Am Donnerstag, den 25.08.2016, 10:16 -0700 schrieb Luis Gerardo:
> I am using FreeOTp app.
>
>
> When I say "The code don't expire" I mean that I never get a "wrong
> otp value" when I use a otp from the app. Despite of wait 90 seconds
> or more. I only get this error if I try to use it more than once.
>
> El jueves, 25 de agosto de 2016, 12:55:51 (UTC+2), Cornelius Kölbel
> escribió:
> https://groups.google.com/d/msgid/privacyidea/03f9af56-9ee2-491a-acc2-af00d946e95c%40googlegroups.com.
The default timewindow is imho 180 seconds.
I.e. system looks 180secs before and after to cope with drifting clocks.
I.e. if you wait 90secs, this looks like the clock of your totp token
would be late 90secs. Look at the tokens timeShift!
Am Donnerstag, den 25.08.2016, 10:16 -0700 schrieb Luis Gerardo:
> I am using FreeOTp app.
>
>
> When I say "The code don't expire" I mean that I never get a "wrong
> otp value" when I use a otp from the app. Despite of wait 90 seconds
> or more. I only get this error if I try to use it more than once.
>
> El jueves, 25 de agosto de 2016, 12:55:51 (UTC+2), Cornelius Kölbel
> escribió:
Message has been deleted
Cornelius Kölbel
Aug 26, 2016, 6:17:34 AM8/26/16
to priva...@googlegroups.com
I understand your expectations.
But there are too many parameters missing. In my opinion the behaviour
is right - since RFC6238 implementation is right. But I can not explain
to you WHY this is happening (due to missing parameters).
And I am not born into this world to request every single parameter one
by one here to explain this behaviour.
You may take a look at the tests.
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py
If you are convince the behaviour is wrong, please add a corresponding
test.
Kind regards
Cornelius
Am Freitag, den 26.08.2016, 02:58 -0700 schrieb Luis Gerardo:
> Hi Cornelius,
>
>
> I've made the test below:
>
>
> 1. I enroll a token with timeStep: 30 and timeWindow: 120 (so, the otp
> is valid for 120 seconds, and in this time 4 otps will be generated.
> Is it?)
> 2. I wait until I have 5 different otp
> 3. I test the token with the first otp I get and I get a success with
> a timeShift of -280
>
>
> I don't understand this results. It would fail the test. Does it have
> sense?
>
>
> Kind regards
> Luis
>
>
>
>
>
>
> El jueves, 25 de agosto de 2016, 22:46:55 (UTC+2), Cornelius Kölbel
> escribió:
> https://groups.google.com/d/msgid/privacyidea/4ae21656-7346-40a7-b3ef-f499dd6f1f95%40googlegroups.com.
But there are too many parameters missing. In my opinion the behaviour
is right - since RFC6238 implementation is right. But I can not explain
to you WHY this is happening (due to missing parameters).
And I am not born into this world to request every single parameter one
by one here to explain this behaviour.
You may take a look at the tests.
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py
If you are convince the behaviour is wrong, please add a corresponding
test.
Kind regards
Cornelius
Am Freitag, den 26.08.2016, 02:58 -0700 schrieb Luis Gerardo:
> Hi Cornelius,
>
>
>
>
> 1. I enroll a token with timeStep: 30 and timeWindow: 120 (so, the otp
> is valid for 120 seconds, and in this time 4 otps will be generated.
> Is it?)
> 2. I wait until I have 5 different otp
> 3. I test the token with the first otp I get and I get a success with
> a timeShift of -280
>
>
> I don't understand this results. It would fail the test. Does it have
> sense?
>
>
> Kind regards
> Luis
>
>
>
>
>
>
> El jueves, 25 de agosto de 2016, 22:46:55 (UTC+2), Cornelius Kölbel
> escribió:
Reply all
Reply to author
Forward
0 new messages