25,151 questions
How to fix time-drift issues with OATH hardware tokens?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 44%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Peter Mørck
0
Reputation points
Hello all,
We currently have a number of OATH hardware tokens. They are now about 1 year old and we are beginning to se a bit of time-drifting. The maximum we are seeing is a forward drift of 90-120 seconds. Whenever a user tries to enter their number-code is fails.
As far as i can tell from others testing Microsoft allows 900 seconds of drifting. I have also been able to find some explanations about how when the hardware token is first activated and subsequently used their will be continous adjustments for time-drifting. This of course being a problem if a hardware token is not used in a longer period of time. Here we imagined we could just reactivate the token and get an adjusted time.
However as it turns out even newly activated hardware tokens which have only drifted 90-120 seconds are not working. The user simply gets an error message that the code provided is no longer valid.
Is there fix to this or any explanation or documentation on how time-drifting is handled is Entra ID?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
Raja Pothuraju 23,800 Reputation points Microsoft External Staff Moderator2024-08-26T12:39:39.9133333+00:00 Hello @Peter Mørck,
Thank you for posting your query on Microsoft Q&A.
I see that you currently have an OATH hardware token that was configured a year ago and are experiencing time-drifting issues with it. The token has a forward drift of 90-120 seconds, causing the code to fail as it is no longer valid when entered by the user.
The time lag is allowed between the TOTP hardware token and the Entra can be set both forward and backward from the calculated time step on receipt of the OTP value. If the time step is 30 seconds as recommended, and the validator is set to only accept two-time steps backward, then the maximum elapsed time drift would be around 89 seconds, i.e., 29 seconds in the calculated time step and 60 seconds for two backward time steps.
https://www.rfc-editor.org/rfc/rfc6238.html
I suggest checking the
StrongAuthenticationPhoneAppDetailsattribute on the user object to learn about each registered authentication device and determine theOathTokenTimeDriftvalue using the following PowerShell commands:Install-Module MSOnline Connect-MsolService $upn = "******@contoso.com" $user = Get-MsolUser -UserPrincipalName $upn $user.StrongAuthenticationPhoneAppDetails | flThis will provide information about the OathTokenTimeDrift. Please let me know the value from the output. The OathTokenTimeDrift value should be 0; if it’s higher, it needs further investigation.
Please send me an email at 'AzCommunity@microsoft.com' with the subject line "Attn: Pothurajur" and include a link to this thread/post. We can then connect offline to discuss this further.
Thanks,
Raja Pothuraju.
Sign in to comment
Sign in to answer