Timeshift on only a few TOTP tokens

Hi!

We’ve been using PI for several years now, but over the past few months, we’ve had a couple users, myself being one, complain about tokens TOTP tokens that stop working. In the PI logs, you see bad totp token.

The users that have the issue connect every day, sometimes multiple times a day. A new token will work fine for a few weeks to a month, then stop working.

Looking at a currently affected user, I just noticed that the timeshift on the token is -410.

  • timeStep: 30
  • timeWindow: 180

Clearly this is a symptom of clock drift correct? But now I’m wondering how. We both have been using Authy as the client. The TOTP servers and ADFS servers all have their clocks synced from Active Directory, which is synced to an internet time source.

Both computers and phones that the token client is installed on (as it’s Authy they are in sync on the phone and computer), are synced with internet time sources.

Is there something I’m missing here? With all devices synced, how can the timeshift get off by 410 seconds?

Is there any troubleshooting we can do in the moment to see what could be causing this?

Thanks!

Yes.

Now my guessing starts!

Oviously the time of the smartphone got wrong over time.

If the timeshift is -410 seconds, then privacyIDEA assumes, that the clock of the TOTP token is off by 410 seconds. Thus privacyIDEA will check otp values in a timewindow of 180 seconds of by 410 seconds.

If the time of the smartphone is then corrected again, then privacyIDEA will check the OTP value in a timewindow of by 410 secs. But the smartphone calculated the otp value based on the correct time.
This way it will fail.

Manage the time of your smartphon in a reliable way!

There Are multiple problems here.

all cell phones are synched to cell provider network automatically.

My laptop is sunched to internet time and an ntp strip graph shows no appreciable drift.

I have stored the token in multiple locations, Authy, 1Password, etc, none are ever off. They are all identical.

I do not feel like this a time issue on the client devices unfortunately.

The tokens can stop working within a week or after a few weeks.

I would resync the TOTP token and search from there what happens with the token.

  1. record settings after enrollment
  2. record settings in case of fail
  3. record settings after resync
  4. compare and think

Thanks -

So I have the same token on two devices, my cell and my laptop, two different apps (not that it matters). They both are 100% lock step in sync. If it was a time drift issue, the two devices would show different tokens at the same time correct? Since we’ve had this issue, I have both devices and both apps open at the same time when authenticating to rule that out.

Also, why would the timeshift be off immediately after a resync?

I have both the server and my client using the same public time server, both are completely in sync. However when I sync my token, I get a timeshift value (7.74954390526). I would think it wold be almost nonexistent since they are based off the exact same clock values.

Also, I can’t get some tokens to resync (-410 timeshift). The Sync Window is 1000 and the count_auth is only 67. It doesn’t seem like it should not be able to resync within that period.

I think we are turning in circles and you do not understand TOTP in depth.

This thread does not look like addressing the problem in an analytic way, so I can not continue helping here.