[jira] [Commented] (GUACAMOLE-1056) Add support for tracking the time drift between guacamole and TOTP-tokens

Wed, 29 Apr 2020 10:20:17 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17095721#comment-17095721
 ] 

Nick Couchman commented on GUACAMOLE-1056:
------------------------------------------

> Tokens/Display cards which generate codes directly on the device have an 
> internal clock. According our investigates it seams to be normal that a time 
> drift of 2 second per week seems to be in a common range.

These doesn't seem right - the tokens that I've dealt with in the past (RSA 
SecurID and Gemalto eToken PASS) seem to be very reliable in terms of 
time-keeping, and are built specifically with a Real Time Clock that avoids 
this drift.

I'm not necessarily opposed to the improvement you suggest - and, if it's 
something you've already done and want to put in a pull request for it, that 
would be fine - but 2 seconds per week seems like an outrageous amount of drift 
and not something I've ever experienced.

> Add support for tracking the time drift between guacamole and TOTP-tokens
> -------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-1056
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1056
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-totp
>            Reporter: Stefan
>            Priority: Major
>
> Tokens/Display cards which generate codes directly on the device have an 
> internal clock. According our investigates it seams to be normal that a time 
> drift of 2 second per week seems to be in a common range. At some point the 
> time drift of these token is to high so the TOTP- extensions rejects the 
> generated codes. Because it is not possible to correct the on an easy way, we 
> will add a tracking of this time drift.
> We added a new attribute for storing the value of the time drift next to the 
> TOTP-Key. The module will accept 3 codes, one previous, one on time and one 
> in the future. Depending on the accepted code the value will be decremented 
> (previous) or incremented (future) or unchanged (on time). The new value will 
> be used to compensate the timedrift on the next login.
> The changed code will follow the next days.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to