[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] OATH token time drift / synchronisation turnarou
|
From: |
Simon Josefsson |
|
Subject: |
Re: [OATH-Toolkit-help] OATH token time drift / synchronisation turnaround |
|
Date: |
Wed, 05 Jun 2013 23:24:58 +0200 |
|
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3 (gnu/linux) |
Jean-Michel Pouré - GOOZE <address@hidden> writes:
> Dear all,
>
> I would like to discuss time drift issues in a hardware token, like the
> c200H3+, which sometimes has a slight time drift as reported by GOOZE
> users.
>
> The c200H3+ has a time step size of 60 seconds.
> Very rarely, time drift can be +-30 seconds.
>
> To fix a time drift of +-30 seconds:
> $ oathtool --totp CD22B780FFFD2D53696807ECD37F404DAE393270
> --time-step-size=60 -w1 --now '30 seconds ago'
> This output two results, giving a 120 seconds time frame.
>
> To fix a time drift of +-1 minute:
> $ oathtool --totp CD22B780FFFD2D53696807ECD37F404DAE393270
> --time-step-size=60 -w2 --now '60 seconds ago'
> This output three results, giving a 180 seconds time frame.
>
> To fix a time drift of +-90 seconds:
> $ oathtool --totp CD22B780FFFD2D53696807ECD37F404DAE393270
> --time-step-size=60 -w3 --now '90 seconds ago'
> This output four results, giving a 270 seconds time frame.
>
> Any comments? Are these calculations correct?
Looks reasonable to me.
Token time drift aside, I think that any service accepting TOTP's should
be somewhat liberal in what it accepts -- having device clocks be off up
to a minute or so isn't that uncommon. Further, some people may need 30
seconds (or more) to type an OTP. And there is also time zone confusion
to take into account as another source of clock differences.
/Simon