[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] OATH token time drift / synchronisation turnarou
|
From: |
Ilkka Virta |
|
Subject: |
Re: [OATH-Toolkit-help] OATH token time drift / synchronisation turnaround |
|
Date: |
Thu, 06 Jun 2013 14:12:31 +0300 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 |
On 6.6.2013 0:24, Simon Josefsson wrote:
Jean-Michel Pouré - GOOZE <address@hidden> writes:
Dear all,
I would like to discuss time drift issues in a hardware token, like the
c200H3+, which sometimes has a slight time drift as reported by GOOZE
users.
The c200H3+ has a time step size of 60 seconds.
Very rarely, time drift can be +-30 seconds.
To fix a time drift of +-30 seconds:
$ oathtool --totp CD22B780FFFD2D53696807ECD37F404DAE393270
--time-step-size=60 -w1 --now '30 seconds ago'
This output two results, giving a 120 seconds time frame.
Any comments? Are these calculations correct?
If you use oathtool to output the otps you accept, then yes, why not.
Though if you use the verify function in oathtool, then remember that
for TOTP the window works in two directions:
$ oathtool --totp 0000 -s 60 -w3 --now '2013-06-06 12:00'
394996
939603
846407
847799
$ oathtool --totp 0000 -s 60 -w1 --now '2013-06-06 12:02'
846407
847799
But in addition to 846407 and 847799 (12:02-12:03), 939603 (12:01) is
accepted too:
$ oathtool --totp 0000 -s 60 -w1 --now '2013-06-06 12:02' 939603
1
Of course this goes for anything that uses oath_totp_validate. So, if
you use the verify function you don't need to offset the time to get a
two-directional window.
Anyway, one could just measure the actual time difference and compensate
using that. That way it wouldn't matter if the time was off by hours.
And there is also time zone confusion
to take into account as another source of clock differences.
It's all in UTC, so there shouldn't be any time zone confusion, unless
somebody is doing something really wrong, right?