Imported HW token (SafeNet OTP 110) authentication fails (internal clock has probably drifted) about multiotp HOT 4 CLOSED

Hello,

Whats is the window time of the SafeNet OTP 110 ? 30 seconds, or 60 seconds ?

If the Window time is 60 seconds:
Google Authenticator only support window time of 30 seconds, and just ignore this parameter, even if it's mentionned in the provisioning QRcode.

If the Window time is 30 seconds:
An internal clock is installed in every hardware token, and this internal clock is adjusted when the token is manufactured, but during its lifetime, the time can be shifted. multiOTP manage that, as it resync internally the delta time of the token everytime an authenticatzion is done. But of course, the displayed OTP code can be different on your token and on Google authenticator, because the hardware internal clock can have a few minutes differences with the "real" time used by your smartphone (which is always synchronized).

If the internal clock of the SafeNet token is a few minutes away, you will have to resync it.

In order to do that, when you have to type the OTP code, instead of typing only [OTP], please type two consecutive OTP codes, seperated by [space] : [OTP1] + [space] + [OTP2]

In the corresponding user file /etc/multiotp/users/myuser.db, you should find now the correction time parameter delta_time=nnn

Regards,

from multiotp.

Hello,

I get the following results when I try to resync my token (the time window is 30 seconds).

# multiotp -resync <USERNAME> <TOKEN1> <TOKEN2>

LOG 2023-09-01 10:53:30 warning (user <USERNAME>) User Error: authentication failed for user <USER>

LOG 2023-09-01 10:53:30 warning (user <USERNAME> User Info: *(authentication typed by the user: <TOKEN1>)
99 *ERROR: Authentication failed (and other possible unknown errors)

The same happens when I'm trying to do the resync via the webGUI.

from multiotp.

Hello,
What is the content of the /etc/multiotp/users/.db (at least delta_time, last_login, and token_algo_suite) ?
You can try to edit the file and change the last_login value to 0.
Let's say if you have tried to log-in with Google Autenticator at time T0 and your SafeNet token is 5 minutes late, you cannot force a resync with an already existing value, which means you will have to wait at least 5 minutes.
If you cannot solve the, except if you are sending us the token and the PKSC definition file, we cannot do anything more for you, as I would say that there is an issue with your SafeNet tokens, or the content of the PKSC definition file. Are these tokens brand new ?
Regards,

from multiotp.

No answer from the last three weeks, unable to reproduce.

from multiotp.