You are viewing limited content. For full access, please sign in.

Question

Question

MFA Code Only Working After The Next Token Generated or After 25 Seconds

Directory Server Version 11 Security
Updated October 17, 2022
asked on October 13, 2022 Show version history

Hi,

 

I have weird scenario after enabling MFA for some users on LFDS as the following:

  • Scenario 1 (Sign In first then enter MFA code when asked):

After click on Sign In button and MFA code field is appear, the token generated in this moment should be used, but it will only working after 25 seconds OR if the next token has been generated in the authenticator app.

 

  • Scenario 2 (Sign In and enter MFA code in one step):

After entering the generated token in MFA field, and click on Sign In button, an error appears (Sign-in failed: invalid MFA code) , after that the same token should be used, but it will only working after 25 seconds OR if the next token has been generated in the authenticator app.

 

These scenarios tested on:

  1. Google Authenticator 
  2. Microsoft Authenticator 
  3. Duo Mobile

 

Is there any one found such behavior? Or any idea on how to solve it?

0 0

Replies

replied on October 13, 2022 Show version history

Hello,

 

I've never seen this for virtual MFA codes, but when it happens for physical MFA tokens, it indicates that the timing is out of sync -- this happens easily on physical MFA devices which may need to be periodically re-synced.

 

My first guess since it's happening across applications would be that there's something wrong with the clock on either the server or on the user's end, since the current time is used when generating the code on both the user side and the server side. 

 

You could start by check the time, including the seconds, for the users' devices and the server in question.

 

If you see no differences, I recommend opening a support case.

1 0
replied on October 16, 2022 Show version history

The time is identical on the web server and both clustered LFDS servers, but the client is only different one second.

 

Maybe there is another factor which causes this behavior,  because the generated token from authenticator app is working only after generating next token (even if that is after 5 seconds from changing to the new token) OR after 24/25 seconds after login step (which one comes first)

0 0
replied on October 17, 2022 Show version history

Turned out that although all machines (LFDSSTS, Web, and clients) have identical time, their time were -1 min than the internet time which is used on the mobile devices running the authenticator apps.

 

Thank you Brianna Blanchard

0 0
replied on October 17, 2022

It's worth remembering that many MFA's use what are called "TOTP" - Time-based One-Time Passwords. The values are explicitly tied to the clock on the device that generates or validates them. If you ever see them sometimes work and sometimes not, you should immediately suspect clock drift - the likely problem is that the generator and validator clocks have skewed far enough that the difference is approaching the entire validity window.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...