Why Correct Windows Server Time Settings Are Critical for TOTP Authentication

Applies To

SurePassID Authentication Server
Environments using TOTP-based MFA (Google Authenticator, Microsoft Authenticator, SurePassID mobile app, hardware tokens)
Windows Server (all supported versions)

Overview

Time-based One-Time Passwords (TOTP) rely on precise time synchronization between the authentication server and the user’s authenticator device.

If the Windows Server hosting the SurePassID Authentication Server has incorrect system time, time zone, or daylight saving time (DST) settings, valid MFA codes may be rejected.

Even small time differences can cause authentication failures.

This article explains why accurate Windows time configuration is essential when using TOTP with SurePassID.

How TOTP Authentication Works

TOTP codes are generated using:

A shared secret between the server and the user’s authenticator
The current time
A short validity window (typically 30 seconds)

For authentication to succeed, the SurePassID Authentication Server and the user’s device must agree closely on the current time. If the server’s time calculation differs from the user’s device, the generated codes will not match, and authentication will fail.

Why Time Zone and DST Matter

Although TOTP uses UTC internally, Windows Server still relies on local time configuration to calculate correct timestamps.

Common configuration problems include:

Incorrect time zone selected
Using a similar but incorrect time zone (for example, “Arizona” instead of “Pacific Time (US & Canada)”)
Daylight Saving Time enabled or disabled incorrectly
Servers left on UTC unintentionally
Manual time changes instead of proper synchronization

DST-related misconfigurations are a frequent cause of MFA failures immediately after seasonal clock changes.

Common Symptoms of Time Configuration Issues

Customers often report:

MFA works intermittently
MFA works for some users but not others
MFA failures started after a DST change
MFA failures after restoring a VM snapshot or backup
MFA works on mobile devices but consistently fails server-side

In most cases, these issues trace back to incorrect server time configuration.

Time Synchronization Is Required (NTP) (when possible; manual update/upkeep is needed in air-gapped environments)

In addition to having the correct time and time zone, the server must remain synchronized with a reliable time source.

Best practices:

Domain-joined servers should synchronize time from the domain hierarchy
Non-domain servers should synchronize with an external NTP source
The Windows Time service (W32Time) should be running and healthy

If time synchronization is not functioning, clock drift will occur over time and eventually cause TOTP authentication failures.

Microsoft documentation:
https://learn.microsoft.com/windows-server/networking/windows-time-service/Windows-Time-Service-Tools-and-Settings

Virtual Machines Require Extra Attention

Virtual machines are more prone to time drift due to:

Host pause and resume
Snapshots and restores
Live migration
Hypervisor time handling differences

After restoring or migrating a VM that hosts the SurePassID Authentication Server, administrators should always verify:

System time
Time zone
DST behavior
Active time synchronization

Recommended Verification Checklist

On the SurePassID Authentication Server, confirm the following:

The system clock shows the correct current time
The correct geographic time zone is selected
Daylight Saving Time behavior matches your region
Time synchronization is enabled and functioning
Time was not manually adjusted to compensate for drift

Additional Reference Material

Understanding TOTP time drift and clock tolerance:
https://www.token2.net/site/page/understanding-time-drift-in-classic-totp-tokens

Need Assistance?

If you suspect time-related issues impacting TOTP authentication and are unsure how to safely validate or correct your server configuration, contact SurePassID Support before making changes in a production environment.