Hi, i have one of my customer that use CA Mobile OTP to generate TOTP for strong authentication.
Some of the end users are used to travel a lot and they reported the following:they initially enrolled for mobile OTP e.g. when they was in Rome and the CA Mobile OTP generates OTP and they were able to authenticate successfully.
When they moved to another location, with different time zone, e.g. Moscow, the CA Mobile OTP generates OTP that are evaluated from Strong Authentication server as invalid OTP.Is there any relation between the generated OTP and the timezone of the mobile phone?. If yes, how can we address this behaviour?
Are you seeing INVALID_OTP in the webfort logs ?
Normally for Mobile OTP timezone does not matter.
It may be possible that the Negative country or device velocity rule is triggering but this will also occur before user reaches the step of entering the Mobile OTP.
Can you confirm if you are seeing INVALID_OTP in webfort log when the user enters the OTP ?
the error in in the arcotwebfort.log:
05/18/18 14:46:05.775 INFO RADIUS 00004032 00659325 - [UDS] UDS Log : Successfully retrieved the user [RGIUPPA] for organization [GBI]
05/18/18 14:46:05.775 INFO RADIUS 00004032 00659325 - Transaction processing(internal-pre) is about to start.
05/18/18 14:46:05.775 INFO RADIUS 00004032 00659325 - Transaction processing(internal-pre) is complete.
05/18/18 14:46:05.775 INFO RADIUS 00004032 00659325 - Transaction processing(proc) is about to start.
05/18/18 14:46:05.775 INFO RADIUS 00004032 00659325 - HandleTOTP::ReferenceCounter : 50888248, Auth Window: [50888247, 50888258], Sync Window : [50887249, 50889248]
05/18/18 14:46:05.791 INFO RADIUS 00004032 00659325 - VerifyOTP Result : INVALID_OTP
It seems that when the enduser if offsite the ca mobile otp went out of synch.
Hi Claudio, can you check the below values in your admin console for the CA Mobile OTP issuance configuration:
From log it seems sync settings are set to 1 and 1 for look back and look forward and authentication settings were set to 0 and 10.
Can you change the settings to 5 and 5.
The above are the settings.
Looks like the MobileOTP was provisioned for the user when he/ she was in Rome. Now, when they are in a different time zone., in Moscow for instance, did the time zone automatically change to their current location's time zone on the device? This type of behavior will be typically seen in 2 scenarios.
1. When a user is in Moscow, they changed the time manually but not the time zone they are in. This effectively means there are in the Rome time zone but the time points to Moscow.
2. In the same lines, if a user changes the time zone manually when in Moscow but not the time.
Can you confirm on the above scenario?
If it was set for auto update of time/ timezone on the device then this issues should not arise as the time offset is set with respect to the UTC.
Hi Lakshmi, the customer has changed the date and time zone settings on his mobile phone as for your suggestion. He is on travel, he will verify if once back the generated OTP will continue to works fine.