This may be a Google Authenticator BUG; but I do not know how to confirm this.
A customer has pointed out to me that if you change the default Token Timestep from 30 to 45 Seconds and are also manually defining SOFT User Tokens that the resulting QR code when imported into Google authenticator STILL uses a Token Timestep of 30 seconds; which quickly causes too much drift between the Soft Token and UTM's expected returned code, causing authentication failures.
I've replicated it here with these steps.
1. In WebAdmin, enable OTP and DESelect the option to Auto-Create OTP token for users.
2. Change the Default Token Timestep from 30 to 45 seconds and click APPLY.
3. ADD an OTP token; I selected a backend synced AD user who had YET to have a token generated for them and used a manually defined random SECRET code.
4. Navigated to User Portal and tried to Log in.
The disaplyed QR code in the User Portal when imported into GOOGLE Authenticator showed a token timestep of 30 seconds; deduced by the fact that my other token timesteps were 30 seconds.
HOWEVER, and this is where it's interesting. if I use the SOPHOS AUTHENTICATOR aplication and import the SAME QR code, the timestep is notably longer, 45 seconds as expected!
hence why I think this is a Google Auth bug and NOT a Sophos UTM issue.
however, I'd like to get feedback on what we can do, if any...
Cheers
PS: Oh, and not to take focus off the topicl however, as a feature request it would be nice to have a GENERATE RANDOM Secret code button for use when you're manually defining User SOFT TOKENs [;)]
When manually defining Soft Token, provide a RANDOM Secret button.
Guest User!
You are not Sophos Staff.
