Can I use an OTP for an token twice in the normal time window?

Dear all,

for an application I need to use the OTP Token which is entered by the user twice in the specified time window of 30 seconds. Is this possible and how?

Best, Tobias

This is evil. Do not do this.

You can do this using the correct policy to allow the OTP value to be used again. I currently can not recall it. I do not link it, since you should not do this :wink:

Can you explain the authentication workflow, why is the user being required to do this?

@cornelinux thanks for the tipp with the policy. This helped me to solve it.

@wwalker thanks for your question. We have a service called “ThinLinc” for Remote Desktop access. ThinLinc is working via SSH. You logon to the broker/gateway with your credentials and an additional OTP, then this connection will be redirected to the Linux worker machine, during the redirection it will use the same credentials for the login to this machine via SSH. So if I enable OTP on the Thinlinc Gateway, I have to activate OTP on the Linux Desktops too. And then I need to use the same OTP value again on the Linux-Desktops as on the Thinlinc Gateway.

We solved it with a policy and the usage of the same OTP value is only allowed for a very small window and only at this realm. So the “whole” should not be to big.

Best, Tobias

1 Like

Dear @cornelinux,
Dear all,

I have a problem: If the policy is active, it takes round about 10-15 seconds that the SSH login is done. If I disable this policy, it is fast as normal and I am logged in into 1 second.

Scope: Authentication
condition: user realm, user-resolver, Client IPs
action: auth_cache: 5s

I can not find any different log messages if the policy is active or not. Any hints?

Hmm… I have an idea of my own. But please clarify it for me.
There is in the mysql database an table “authcache”. In this table I found 183 rows, most of the entries with my user. After deleting all the content of this table, the login is much more faster. Not 1 second, but much more faster then 10 seconds.

I read at these site, that it is preferred to delete this table periodically: 7.3. Authentication policies — privacyIDEA 3.6 documentation

Maybe the problem is, that there was 160 credentials with my user and that these credentials are tried if it is possible to use it a second time? I will cleanup the table now periodically.

Best, Tobias

I wouldn’t think that’s occurring as the page says:

The same note also says it would be a good idea to create a cron job to automatically cleanup the table for you. So I think your on the right path for managing that table.

Just to clarify things: for security reasons we use argon2 to hash the cached credentials which takes quite some time when verifying several entries in the cache.