TOTP (Time-based One-Time Password) tokens require synchronization to ensure precise time alignment between the client device—such as a mobile phone or hardware token—and the authentication server. SurePassID delivers advanced solutions to proactively mitigate time drift and offers effective tools for realignment should time discrepancies arise.
Why TOTP Tokens Need Syncing
TOTP (Time-based One-Time Password) tokens sometimes need to be synced because they rely on accurate time alignment between the client device (like a phone or hardware token) and the authentication server.
-
Clock Drift: Over time, the internal clock of a device or hardware token can drift slightly from the actual time. Even a few seconds of difference can cause the generated token OTP to be invalid. Clock drift usually occurs most frequently on hardware token. Several factors can contribute to clock drift in hardware tokens, with the most common being exposure to extreme temperatures, extended periods of inactivity, and minor manufacturing variances in the real-time clock or crystal components.
-
Time-Based Calculation: TOTP uses the current time as a moving factor in its algorithm. If the client and server don’t agree on the time, the one-time password won’t match.
How Syncing Works
- Allowable Clock Drift: For each TOTP token, SurePassID enables you to configure the allowable clock drift window in specific time units (for example, setting a drift window of 5 intervals for 30-second OTPs permits the device’s clock to be up to 150 seconds ahead or behind the current server time). This flexibility helps accommodate minor clock discrepancies between devices and the authentication server.
- Advanced Drift Detection and Correction: SurePassID incorporates advanced drift correction algorithms that enable the system to automatically recalibrate acceptable drift thresholds based on defined parameters.
- Server Time: Servers maintain accurate system time using the Network Time Protocol (NTP), which is essential for proper coordination with hardware tokens.
- Manual Sync: In some cases, the system may be unable to automatically synchronize a hardware token, requiring you to perform a manual sync to restore its functionality.
How Do You Set Time Drift
To set a time drift value for a hardware token follow these steps in the SurePassID Admin Portal.
Locate the token from the Tokens tab, or select the token from the users account.
Scroll to the bottom of the Update Token page, where you can change the Time Drift as shown below:
Press the Update button.
How Do Manually Sync a Token
To set a time drift value for a hardware token follow these steps in the SurePassID Admin Portal.
Locate the token from the Tokens tab, or select the token from the users account. Press the Synchronize button in the button bar as shown below:
Follow the prompts on the Synchronize Token page.