Symantec Access Management

 View Only
  • 1.  CA Mobile OTP & timezone

    Posted Jun 05, 2018 02:21 PM

    Hi, i have one of my customer that use CA Mobile OTP to generate TOTP for strong authentication.

    Some of the end users are used to travel a lot and they reported the following:
    they initially enrolled for mobile OTP e.g. when they was in Rome and the CA Mobile OTP generates OTP and they were able to authenticate successfully.

    When they moved to another location, with different time zone, e.g. Moscow, the CA Mobile OTP generates OTP that are evaluated from Strong Authentication server as invalid OTP.
    Is there any relation between the generated OTP and the timezone of the mobile phone?. If yes, how can we address this behaviour?

    Best Regards



  • 2.  Re: CA Mobile OTP & timezone

    Broadcom Employee
    Posted Jun 07, 2018 04:54 PM

    Hi Claudio, 

     

    Are you seeing INVALID_OTP in the webfort logs ?

    Normally for Mobile OTP timezone does not matter. 

     

    It may be possible that the Negative country or device velocity rule is triggering but this will also occur before user reaches the step of entering the Mobile OTP. 

     

    Can you confirm if you are seeing INVALID_OTP in webfort log when the user enters the OTP ?

     

    Thanks

    Awijit 



  • 3.  Re: CA Mobile OTP & timezone

    Posted Jun 08, 2018 03:43 AM

    Hi Awijit,

    the error in in the arcotwebfort.log:

     

    05/18/18 14:46:05.775 INFO  RADIUS       00004032 00659325 - [UDS] UDS Log : Successfully retrieved the user [RGIUPPA] for organization [GBI]

    05/18/18 14:46:05.775 INFO  RADIUS       00004032 00659325 - Transaction processing(internal-pre) is about to start.

    05/18/18 14:46:05.775 INFO  RADIUS       00004032 00659325 - Transaction processing(internal-pre) is complete.

    05/18/18 14:46:05.775 INFO  RADIUS       00004032 00659325 - Transaction processing(proc) is about to start.

    05/18/18 14:46:05.775 INFO  RADIUS       00004032 00659325 - HandleTOTP::ReferenceCounter : 50888248, Auth Window: [50888247, 50888258], Sync Window : [50887249, 50889248]

    05/18/18 14:46:05.791 INFO  RADIUS       00004032 00659325 - VerifyOTP Result : INVALID_OTP

     

    It seems that when the enduser if offsite the ca mobile otp went out of synch.



  • 4.  Re: CA Mobile OTP & timezone

    Broadcom Employee
    Posted Jun 08, 2018 04:50 PM

    Hi Claudio, can you check the below values in your admin console for the CA Mobile OTP issuance configuration:

     

    OTPCounterAuthLookAhead
    OTPCounterAuthLookBack
    OTPCounterReSyncLookAhead
    OTPCounterReSyncLookBack 

     

    thanks

    awijit



  • 5.  Re: CA Mobile OTP & timezone

    Broadcom Employee
    Posted Jun 08, 2018 05:11 PM

    From log it seems sync settings are set to 1 and 1 for look back and look forward and authentication settings were set to 0 and 10.

     

    Can you change the settings to 5 and 5. 



  • 6.  Re: CA Mobile OTP & timezone

    Posted Jun 11, 2018 10:54 AM

    The above are the settings.

    Regards



  • 7.  Re: CA Mobile OTP & timezone

    Posted Jun 11, 2018 01:19 PM

    Hi Claudio,

    Looks like the MobileOTP was provisioned for the user when he/ she was in Rome. Now, when they are in a different time zone., in Moscow for instance, did the time zone automatically change to their current location's time zone on the device? This type of behavior will be typically seen in 2 scenarios.

    1. When a user is in Moscow, they changed the time manually but not the time zone they are in. This effectively means there are in the Rome time zone but the time points to Moscow.

    2. In the same lines, if a user changes the time zone manually when in Moscow but not the time.

     

    Can you confirm on the above scenario?

     

    If it was set for auto update of time/ timezone on the device then this issues should not arise as the time offset is set with respect to the UTC.

     

    Thanks,

    Lakshmi.



  • 8.  Re: CA Mobile OTP & timezone

    Posted Jun 12, 2018 09:48 AM

    Hi Lakshmi, the customer has changed the date and time zone settings on his mobile phone as for your suggestion. He is on travel, he will verify if once back the generated OTP will continue to works fine.

    Thank you