Devolutions ForumDevolutions Forum

DPS - 2FA Google Authenticator Timeout

Implemented

DPS - 2FA Google Authenticator Timeout

avatar
(user deleted)
Disabled

We have had an issue with the valid time a Google Authenticator code remains active for quite some time (we are now on the latest DPS but this issue has been going of for a couple of years). What we are finding is that if the Google Auth TOTP code is refreshed every 30 seconds on the end user device the code only works for say the first 5-15 seconds of that period. If we manually refresh to get a new code then we can generally authenticate without issue. Now I know that the first thing that comes to mind is that the time is out of sync between the DPS server and the users google auth device but its not. It also happens to all our users and setting up the Google Auth token again for a user also doesnt resolve the issue. Is there a setting to extend the period of time a TOTP code is valid for on the DPS server?

Thanks

All Comments (5)

avatar
Alexandre Bélisle

Hello,
There is no such setting in DVLS (as this is managed by the third party OTP you're using).
And as you stated, what you are describing is indeed caused by a time difference between the time on the DVLS instance and the users' device.
A 15 second time difference can easily go unnoticed...

Are the users affected by this on both the Web UI and RDM? (I guess yes)

Could you provide me with your DVLS version?

I hope this helps, thanks for keeping us posted.
Best regards,

Alex Belisle

avatar

Time on device and DVLS server are in sync to the second. The client devices are used for numerous google auth services and the others are no issue. This is a long term issue we have been having with the DVLS server auth. Yes both WebUI and RDM have same issue.

DVLS version is latest 2021.1.20.0 but all versions for last few years we have had the same issue with. Simply put the TOTP code generated is just not valid for long enough on the DVLS. The Google Auth client regens every 30 seconds but from all our testing it only works on the DVLS system for about first 10-15 seconds of that period. If we force the google auth client to regenerate the TOTP code it works as long as we use it straight away.

Any ideas on how to resolve this would be appreciated.


Regards

Jason

avatar

Any ideas?

Thanks

avatar
Alexandre Bélisle

Hello Jason,
I opened a support ticket on you behalf so we can plan a call, we'll post the solution afterward.
Best regards,

Alex Belisle

avatar
Alexandre Bélisle

Hello @everyone
We had a call to take a closer look, and turns out that the Google Auth based tool jason13 is using is WatchGuard AuthPoint.
This tool handles the OTP code valid time differently than Google Authenticator actually does.
A ticket has been opened for the engineering to allow a short time buffer that would facilitate the process.

Hope this helps!

Best regards,

Alex Belisle