Token synchronization
Synchronization provides a secure mechanism through which the server and token can automatically resynchronize when a user authenticates.
Tokens might need to be synchronized if they become out of sync with the server. QUICKLog or event-based tokens can become out of sync with the server if the OTP is requested multiple times from the token, but is not used for synchronization. For time-based tokens, the clock in the token in an input for OTP computation. The time that is received from this clock can drift, and this drift needs to be considered on the server during OTP validation.
Supported token types for synchronization
Synchronization is supported by the following token types:
-
QUICKLog tokens are event-based and do not rely on time to remain synchronized with the server. Each time an event-based token is activated, a new OTP is generated. For each login event, the server compares the submitted OTP with the expected OTP. QUICKLog tokens can become out of sync with the server if the OTP is requested multiple times from the token but is not used for authentication.
-
CRYPTOCard/SafeNet KT series (time-based)
-
SafeNet GOLD/Platinum
-
MobilePASS
-
eToken PASS
-
Third-party OATH
-
Google Authenticator
Configure token synchronization
-
On the SAS Token Management console, select Policy > Token Policies > Synchronization.
-
Configure the synchronization options:
-
Inner event-based OTP window size—The number of passwords the server will look-ahead from the last successful logon by the user. Using the example above, the server would be expecting passcode number 1 even though the user provides passcode number 2. Assuming the default inner window value of 3, the server would look from passcode 1 to 3 until a match is found (in this case at passcode 2). If a match is found, the user is authenticated and any unused passcodes are discarded. The next valid passcode on the server would be passcode 3. Default value: 10.
-
Outer event-based OTP window size—This handles situations where the user’s passcode is not found in the inner window. In this case, the server will look ahead up to the indicated value (by default 100). If a match is found in this window, the user is prompted to provide the next passcode in sequence. For example, if the user provides passcode 4, the user will be prompted for and must provide passcode 5. In essence this window has an effective size of 1. Default value: 100.
-
First authentication time-based OTP window size—An expanded evaluation window (maximum value = 300) that applies only to the first authentication attempt after a token record is imported - to adjust for token drift - so that the time-based tokens can be conveniently synchronized. Subsequent authentication attempts with the token will be restricted to the Inner window (maximum = 10) and Outer window (maximum = 100) values. For more details, see Configure the window size for a time-based token’s first authentication.
-
Inner time-based OTP window size—This handles time drift for time-based tokens. This value determines the number of token ticks the token can be out of sync with the server. An OTP found inside this window will be accepted and the server is updated to adjust for this token’s time drift. Default: 5.
Token ticks are defined in the token profile (under Time Period). The default is 30 seconds.
-
Outer time-based OTP window size—This handles time drift for time-based tokens. This value determines the number of token ticks the token can be out of sync with the server if the OTP is not found in the inner window. If the OTP is found in the outer window, the user must provide the next OTP in sequence to successfully authenticate. Default value: 25.
When a user is resyncing a token on the Self-Service site, or an admin is resyncing a token on the Token window of the SAS Token Management console, the outer window is three times the setting, up to a maximum of 300. The actual outer window value, up to a maximum of 100, is only used during an authentication with an agent.
-
-
Select Apply.
Display the synchronization policy change log
-
On the SAS Token Management console, select Policy > Token Policies > Synchronization.
-
Click Change Log to display a record of the changes to the synchronization fields.
-
Click Close to hide the change log.