Wrong otp value

I configured TOTP to run with LDAP proxy authentication.Everything was working wel until two days ago. One of the users was unable to authenticate and got this error (see below):
[2020-03-10 08:30:39,961][31771][139844622030592][ERROR][privacyidea.lib.auditmodules.sqlaudit:241] DATA: {‘info’: ‘wrong otp value’, ‘realm’: u’com1’, ‘tokentype’: None, ‘success’: False, ‘privacyidea_server’: ‘127.0.0.1’, ‘client_user_agent’: None, ‘client’: ‘127.0.0.1’, ‘user’: u’ellen’, ‘resolver’: u’COM1’, ‘action_detail’: ‘’, ‘action’: ‘POST /validate/check’, ‘serial’: None}

Those are the TOTP token settings:
Default Time Step: 30
Time Window: 180
Default time shift: 0
Hash: sha1

The only thing i noticed was that the timeshift was 300. I solved this issue with removing the token and enrolling a new one
[2020-03-10 08:50:58,308][31771][139844571674368][ERROR][privacyidea.lib.auditmodules.sqlaudit:241] DATA: {‘info’: ‘matching 1 tokens’, ‘realm’: u’com1’, ‘tokentype’: u’totp’, ‘success’: True, ‘privacyidea_server’: ‘127.0.0.1’, ‘client_user_agent’: None, ‘client’: ‘127.0.0.1’, ‘user’: u’ellen’, ‘resolver’: u’COM1’, ‘action_detail’: ‘’, ‘action’: ‘POST /validate/check’, ‘serial’: u’TOTP004116E1’}

The TOTP token could get slowly out of sync by user laziness or clock time drift.
If then the clock get reset, the token is out of sync and you need to manually resync.

Hi cornel,

Thank you for the answer. Is there any way to avoid this, because this happened also to another user?

  1. Keep accurate time on PI server and devices.
  2. Allow bigger “window”, e.g. plus/minus a minute
  3. Use other tokens.

Hi,

I was using CP 3.1.2 since few months for testing and it was working fine. I decided to install newer version 3.2.0 (3b60f96) that should fix many problem.

Sinc I installed this version, I’m still able to log a Windows Session… but after typing my username and password, before typing the TOTP password, I can see in the window “Wrong otp value”.

I can type my TOTP password and I can open the Windows session.

This error message is abnormal and false. Please fix it in a newer version !