TOTP Soft-Tokens resync

mb2m · December 7, 2018, 1:54pm

Hi everyone,

we are using privacyIDEA to enroll TOTP Soft-Tokens for the user’s smartphones and are wondering whether we need to support something like a “Next-Token-Mode” in our environment.

Can a TOTP-Token only get out of sync when the clocks of either the server or the smartphone are wrong or is there another situation when this can occur?
Does the REST-API (/validate/check) respond with an out-of-sync-message when privacyIDEA realizes that the token has to be resynced?

Thanks a lot and best wishes

Michael

cornelinux · December 9, 2018, 9:01am

If a user always enters the OTP value “a bit too late”, then the token could also get out of sync.

privacyIDEA responds with a “wrong OTP value”. For performace reason privacyIDEA only checks the OTP values within the defined window. So it can not know, if the OTP value is completely wrong or if it would occur somewhere within the next few hours.

You might want to take a look at the autoresync function.