Symantec Access Management

Expand all | Collapse all

TOTP algorithm

Jump to Best Answer
  • 1.  TOTP algorithm

    Posted 09-04-2019 10:37 AM
    i need some explanation on the TOTP authentication with StrongAuthentication.
    Could you please share details on how the TOTP generated on the mobile App are verified on the server side.
    I look to the arcotwebfort.logs and i would like to have more info on how ReferenceCounter is calculated, and what is it meaning. (i expect that for counter based OTP not for TOTP). I see also that lastknowdrift and lastverifiedcounter take part to the process.
    Could you please share the algorithm that works behind the scenes.
    Best Regards

  • 2.  RE: TOTP algorithm
    Best Answer

    Posted 09-05-2019 01:32 PM
    Hi Claudio,

    CA Mobile OTP is a One-Time Password compliant to OATH standards. The user uses the generated passcode at the Web application that is protected by CA Mobile OTP authentication. Based on the authentication result, the 

    user is granted access to the protected application.

    The passcode generation is an offline process, which means the client application need not connect

    to the authentication server for generating passcodes.

    TOTP is time based OTP generated using the OATH standards. Auth window is considered when the generated OTP is valid as client and server will generate the OTP and server will offset any drift happened before so both generates the same OTP and validation succeeds. If the drift is beyond the Auth window it should fall under Synch window and recommendation is that this value should be higher like 100-100.

    Auth and synch window is based upon seconds and look ahead and look back will mean that server will generate the OTP in between the look back and look ahead time step and then validate that.

    Our recommendation is to have the look back and look ahead as 10-10 and synch windows as 100-100.

    I do not have the white paper on CA Mobile OTP handy but found this link which can give some inputs.