HOTP token seems out of sync

Hi,

I have enrolled the Windows Credential Provider on my Windows 10 machine and set it up to use HOTP during remote desktop sessions. This worked for some time without any problems, but since a few weeks it more and more starts rejecting my HOTP tokens. It takes me at least 4-5 new tokens before the token is accepted, and when it is not I either get the message that the OTP-token is invalid or that the token is a previous token. It seems that it somehow got out of sync. Testing the current token in the PrivacyIdea web GUI also rejects the token. My authenticator is the Android app ‘Authenticator Pro’ and it has no issues with any other token it has to provide to other services. I checked my date/time on all involved devices and they are all in sync.

Any thoughts?

Regards,
Ge

I found the expected token number on the server vs the token number on my phone. They are indeed out of sync, but I also get an idea as to why. Because I want to be certain that I can always login to my RDP PC (as it is my main management computer for our network) and I don’t want to be locked out if the PrivacyIdea is not working (for any reason), I have setup the offline file on my PC. Once the offline file has to be refilled, the token number on the server increments with the number of refilled offline tokens in my local offline file. In my case I setup 5 in the offline_threshold registry setting. So once my offline file is refilled, the server increments the expected token number by 5. Somehow the offline file is not used if the PC has a working connection to the PrivacyIdea server, so my phone code number is behind for about 5 codes, because the server expects the code to be 5 numbers ahead!

Can I resolve this situation, as I need to have offline codes, but also be able to login when the server is available?

Intended behaviour.

Read carefully 11. Machines — privacyIDEA 3.8 documentation

If this is the intended behaviour, then that implies that whenever offline tokens are used, you are unable to login if the computer is connected to the PrivacyIdea server before all tokens in the offline file are consumed. I.e. a laptop with 5 newly distributed offline tokens has been disconnected from the network, you login once at home, the next day you connect to the network and now the PrivacyIdea server is 4 tokens ahead of your phone authenticator… This makes it difficult to use, suppose I did not count how many offline codes I used, then I don’t know exactly how many tokens I must skip on my phone before it is accepted by the server. It would be more practical if whenever offline tokens are used, they are consumed first regardless of a connection to the PrivacyIdea server before the server starts authenticating tokens. Currently the PrivacyIdea server takes precedence…

Regards,
Ge

An offline OTP token is supposed to not be used in an online scenario. An authentication against privacyIDEA must not work! Otherwise this would be a huge attack vector.

Hello Cornelinux,

I still don’t understand your reply ‘An authentication against privacyIDEA must not work’… Why not? You would still need a valid HOTP code to be able to logon, whether that is checked in the local file (offline) or on the privacyIDEA server (when online).

In your reply you state that the HOTP is to be used with offline authentication only, but what happens if you have like 10 keys in your offline file, and after 3 offline logins you connect to your network. In that case your HOTP token wil again be incremented by the setup number of offline tokens (in this case 10) and the user has the same out of sync problem because now the authenticator is behind about 7 codes. Is this than also the intended behaviour?

Regards,
Ge

Yes, it is.

(We have to get rid of the 20 chars limit)

Then how can this be used in the first place, if it is completely unclear to a user what code should be used? this makes the whole OTP principle unusable…

Well, somehow I managed to get the configuration setup correctly, because now it functions as it supposed to do. The local file containing the offline tokens is now read before the token is checked against the online server. Perhaps it was my local registry settings. To be clear the following now applies:

  • The token on the server has a ‘count’ of 10 (offline tokens)
  • In the local registry, the ‘offline_threshold’ is set to 1

Now at first logon, the local file is filled with 10 tokens, and they are consumed whenever I logon. When the number of tokens consumed reached 0, the server is queried for 10 new tokens (and the token counter on the server is incremented by 10) and the new tokens are saved in the local file, starting the process of consuming local tokens again.

Regards,
Ge

Hi,
the offline_threshold is 20 by default as the default count for the server is 100, so if you use a count that low, you need to adjust the threshold like you did.
It is also true that the hotp token is not very well suited for offline use because it makes it unusable for online authentication (in most cases, and also in the case of using our default values).
In the upcoming version, webauthn token will be usable for offline and they do not have these problems, so you might want to check that out.

As @nilsbehlen pointed out, HOTP is not invented for offline authentication. So if one wants to use it for offline, it comes with drawbacks.

By technical design an HOTP token is not usable online (as in authentication against the privacyidea server) anymore, if you start using it for offline authentication. I thought this was clear from the documentation.

It would be great and helpful also for others if you could tell at which point of ths docs you were missing this information. By telling this you could give something back to the project and the community. Thanks a lot!

Perhaps I’m going at it the wrong way, but as far as I understand, when using your product to have MS RDP sessions using OTP, the only possible solution is using HOTP tokens. As a matter of fact I don’t even want to use the tokens offline by default, but that seems to be the result of using HOTP tokens. So I tried to get it to work in a situation where I normally have a connection to the OTP server (online), but also need an escape if the RDP server I’m connecting to remotely is unable to validate online due to a network error. The reason I want to connect to this RDP server is the fact that at that moment there is a network error and this server has a different internet connection as a means of doing emergency network/system repair. As you disencourage the use of HOTP, should I then use a different approach to the RDP OTP solution?

Regards,
Ge

I did find it hard to find information about the Token Details webpage concerning the machine the token is attached to. I cannot find what the ‘Rounds’ option means, but i deducted that it is the complexity of the salted SHA512 encrypted tokens sent to the offline file.

Regards,
Ge

1 Like

That is not correct. You can use the privacyIDEA Credential Provider with basically all token types. Even PUSH.
Note, that you need a subscription for using the Credential Provider, if you have more than 50 users.

You do not need to attach machines.

At which place would you have liked to find more information?
We have basically written down everything. But usually people do not find it. So I am asking where you would expect it.
THanks.