On 04/29/2016 12:37 PM, Prashant Bapat wrote: > Hi Petr, > > Thanks for the response. But my question was more towards the cases where > there > is a slight delay in entering the OTP in the web UI and it reaching the IPA > server. This actually can happen with ANY time window. > > There are couple of scenarios. > > 1. Network delays. > 2. User enters the OTP token and takes a few seconds before pressing submit.
> 3. User has to enter OTP first and then the password. This is the case when > changing password in IPA at the moment when OTP is on. Actually password change scenario is: 1. oldpassword + otp 2. old password + otp2 + new password + confirm new password > > Is there a way to make IPA honor either the current token (obviously!) or 1 > elapsed token? Actually it may be done this way, but I'm not sure. > > This will go a long way in making FreeIPA's OTP implementation much more > usable. Either way, as I said in the previous mail, try HOTP tokens. They don't use time windows and therefore the above is not an issue. > > Thanks. > --Prashant > > On 25 April 2016 at 21:48, Petr Vobornik <pvobo...@redhat.com > <mailto:pvobo...@redhat.com>> wrote: > > On 04/22/2016 08:55 AM, Prashant Bapat wrote: > > Hi, > > > > We have been using the OTP feature of FreeIPA extensively for users to > login to > > the web UI. Now we are rolling out an external service using the LDAP > > authentication based on FreeIPA and OTP. > > > > End users typically login rarely to the web UI. Only to update their > SSH keys > > once in 90 days. > > > > However to the new service based on FreeIPA's LDAP they would be > logging in > > multiple times daily. > > > > Here is an observation: FreeIPA's OTP mechanism is very stringent in > requiring > > the current token to be inside the 30 second window. Because of this > there might > > be a sizable percentage of users who will have to retry login. > Obviously, this > > is a bad user experience. > > > > As per the RFC-6238 <http://www.rfc-base.org/txt/rfc-6238.txt> section > 5.2, we > > could allow 1 time step and make the user experience better. > > > > Can this be done by changing a config or does it involve a > patch/code-change. > > Any pointers to this appreciated. > > > > Thanks. > > --Prashant > > > > FreeIPA works with both time based OTP tokens(TOTP) and counter based > OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator > can set custom clock interval during creation of a token. But > self-service Web UI doesn't show this option. Users can still use it in > CLI though. > > Alternative is HOTP which doesn't use time interval and there the UX > issue is not there. It can be also created in user self service. > -- > Petr Vobornik > > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project