2020-02-29 00:43:59 +00:00
|
|
|
---
|
|
|
|
layout: default
|
2021-02-12 05:59:42 +00:00
|
|
|
title: Time-based One-Time Password
|
2020-02-29 00:43:59 +00:00
|
|
|
parent: Configuration
|
2021-09-17 04:44:35 +00:00
|
|
|
nav_order: 16
|
2020-02-29 00:43:59 +00:00
|
|
|
---
|
|
|
|
|
2021-02-12 05:59:42 +00:00
|
|
|
# Time-based One-Time Password
|
2020-02-29 00:43:59 +00:00
|
|
|
|
2022-04-07 23:01:01 +00:00
|
|
|
The OTP method _Authelia_ uses is the Time-Based One-Time Password Algorithm (TOTP) [RFC6238] which is an extension of
|
|
|
|
HMAC-Based One-Time Password Algorithm (HOTP) [RFC4226]. You have the option to tune the settings of theTOTP generation,
|
|
|
|
and you can see a full example of TOTP configuration below, as well as sections describing them.
|
2020-02-29 00:43:59 +00:00
|
|
|
|
2021-04-11 11:25:03 +00:00
|
|
|
## Configuration
|
2020-04-11 04:46:07 +00:00
|
|
|
```yaml
|
|
|
|
totp:
|
2022-03-03 11:20:43 +00:00
|
|
|
disable: false
|
2020-04-11 04:46:07 +00:00
|
|
|
issuer: authelia.com
|
2021-12-01 12:11:29 +00:00
|
|
|
algorithm: sha1
|
|
|
|
digits: 6
|
2020-04-11 04:46:07 +00:00
|
|
|
period: 30
|
|
|
|
skew: 1
|
2022-04-07 23:01:01 +00:00
|
|
|
secret_size: 32
|
2020-04-11 04:46:07 +00:00
|
|
|
```
|
|
|
|
|
2021-04-11 11:25:03 +00:00
|
|
|
## Options
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
### disable
|
|
|
|
<div markdown="1">
|
|
|
|
type: boolean
|
|
|
|
{: .label .label-config .label-purple }
|
|
|
|
default: false
|
|
|
|
{: .label .label-config .label-blue }
|
|
|
|
required: no
|
|
|
|
{: .label .label-config .label-green }
|
|
|
|
</div>
|
|
|
|
|
|
|
|
This disables One-Time Password (TOTP) if set to true.
|
|
|
|
|
2021-04-11 11:25:03 +00:00
|
|
|
### issuer
|
|
|
|
<div markdown="1">
|
|
|
|
type: string
|
|
|
|
{: .label .label-config .label-purple }
|
|
|
|
default: Authelia
|
|
|
|
{: .label .label-config .label-blue }
|
|
|
|
required: no
|
|
|
|
{: .label .label-config .label-green }
|
|
|
|
</div>
|
2020-03-25 01:48:20 +00:00
|
|
|
|
|
|
|
Applications generating one-time passwords usually display an issuer to
|
|
|
|
differentiate applications registered by the user.
|
|
|
|
|
|
|
|
Authelia allows customisation of the issuer to differentiate the entry created
|
2020-02-29 00:43:59 +00:00
|
|
|
by Authelia from others.
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
### algorithm
|
|
|
|
<div markdown="1">
|
|
|
|
type: string
|
|
|
|
{: .label .label-config .label-purple }
|
|
|
|
default: sha1
|
|
|
|
{: .label .label-config .label-blue }
|
|
|
|
required: no
|
|
|
|
{: .label .label-config .label-green }
|
|
|
|
</div>
|
2020-03-25 01:48:20 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
_**Important Note:** Many TOTP applications do not support this option. It is strongly advised you find out which
|
|
|
|
applications your users use and test them before changing this option. It is insufficient to test that the application
|
|
|
|
can add the key, it must also authenticate with Authelia as some applications silently ignore these options. Bitwarden
|
|
|
|
is the only one that has been tested at this time. If you'd like to contribute to documenting support for this option
|
|
|
|
please see [Issue 2650](https://github.com/authelia/authelia/issues/2650)._
|
2020-03-25 01:48:20 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
The algorithm used for the TOTP key.
|
|
|
|
|
|
|
|
Possible Values (case-insensitive):
|
|
|
|
- `sha1`
|
|
|
|
- `sha256`
|
|
|
|
- `sha512`
|
|
|
|
|
|
|
|
Changing this value only affects newly registered TOTP keys. See the [Registration](#registration) section for more
|
|
|
|
information.
|
|
|
|
|
|
|
|
### digits
|
|
|
|
<div markdown="1">
|
|
|
|
type: integer
|
|
|
|
{: .label .label-config .label-purple }
|
|
|
|
default: 6
|
|
|
|
{: .label .label-config .label-blue }
|
|
|
|
required: no
|
|
|
|
{: .label .label-config .label-green }
|
|
|
|
</div>
|
|
|
|
|
|
|
|
_**Important Note:** Some TOTP applications do not support this option. It is strongly advised you find out which
|
|
|
|
applications your users use and test them before changing this option. It is insufficient to test that the application
|
|
|
|
can add the key, it must also authenticate with Authelia as some applications silently ignore these options. Bitwarden
|
|
|
|
is the only one that has been tested at this time. If you'd like to contribute to documenting support for this option
|
|
|
|
please see [Issue 2650](https://github.com/authelia/authelia/issues/2650)._
|
|
|
|
|
|
|
|
The number of digits a user needs to input to perform authentication. It's generally not recommended for this to be
|
|
|
|
altered as many TOTP applications do not support anything other than 6. What's worse is some TOTP applications allow
|
|
|
|
you to add the key, but do not use the correct number of digits specified by the key.
|
2020-03-25 01:48:20 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
The valid values are `6` or `8`.
|
|
|
|
|
|
|
|
Changing this value only affects newly registered TOTP keys. See the [Registration](#registration) section for more
|
|
|
|
information.
|
2020-03-25 01:48:20 +00:00
|
|
|
|
2021-04-11 11:25:03 +00:00
|
|
|
### period
|
|
|
|
<div markdown="1">
|
|
|
|
type: integer
|
|
|
|
{: .label .label-config .label-purple }
|
|
|
|
default: 30
|
|
|
|
{: .label .label-config .label-blue }
|
|
|
|
required: no
|
|
|
|
{: .label .label-config .label-green }
|
|
|
|
</div>
|
2020-03-25 01:48:20 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
The period of time in seconds between key rotations or the time element of TOTP. Please see the
|
|
|
|
[input validation](#input-validation) section for how this option and the [skew](#skew) option interact with each other.
|
|
|
|
|
|
|
|
It is recommended to keep this value set to 30, the minimum is 15.
|
2020-03-25 01:48:20 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
Changing this value only affects newly registered TOTP keys. See the [Registration](#registration) section for more
|
|
|
|
information.
|
2021-04-11 11:25:03 +00:00
|
|
|
|
|
|
|
### skew
|
|
|
|
<div markdown="1">
|
|
|
|
type: integer
|
|
|
|
{: .label .label-config .label-purple }
|
|
|
|
default: 1
|
|
|
|
{: .label .label-config .label-blue }
|
|
|
|
required: no
|
|
|
|
{: .label .label-config .label-green }
|
|
|
|
</div>
|
2020-03-25 01:48:20 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
The number of one time passwords either side of the current valid one time password that should also be considered valid.
|
|
|
|
The default of 1 results in 3 one time passwords valid. A setting of 2 would result in 5. With the default period of 30
|
|
|
|
this would result in 90 and 150 seconds of valid one time passwords respectively. Please see the
|
|
|
|
[input validation](#input-validation) section for how this option and the [period](#period) option interact with each
|
|
|
|
other.
|
2020-03-25 01:48:20 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
Changing this value affects all TOTP validations, not just newly registered ones.
|
2021-09-17 04:44:35 +00:00
|
|
|
|
2022-04-07 23:01:01 +00:00
|
|
|
### secret_size
|
|
|
|
<div markdown="1">
|
|
|
|
type: integer
|
|
|
|
{: .label .label-config .label-purple }
|
|
|
|
default: 32
|
|
|
|
{: .label .label-config .label-blue }
|
|
|
|
required: no
|
|
|
|
{: .label .label-config .label-green }
|
|
|
|
</div>
|
|
|
|
|
|
|
|
The length in bytes of generated shared secrets. The minimum is 20 (or 160 bits), and the default is 32 (or 256 bits).
|
|
|
|
In most use cases 32 is sufficient. Though some authenticators may have issues with more than the minimum. Our minimum
|
|
|
|
is the recommended value in [RFC4226], though technically according to the specification 16 bytes (or 128 bits) is the
|
|
|
|
minimum.
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
## Registration
|
|
|
|
When users register their TOTP device for the first time, the current [issuer](#issuer), [algorithm](#algorithm), and
|
|
|
|
[period](#period) are used to generate the TOTP link and QR code. These values are saved to the database for future
|
|
|
|
validations.
|
2021-09-17 04:44:35 +00:00
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
This means if the configuration options are changed, users will not need to regenerate their keys. This functionality
|
|
|
|
takes effect from 4.33.0 onwards, previously the effect was the keys would just fail to validate. If you'd like to force
|
|
|
|
users to register a new device, you can delete the old device for a particular user by using the
|
|
|
|
`authelia storage totp delete <username>` command regardless of if you change the settings or not.
|
|
|
|
|
|
|
|
## Input Validation
|
|
|
|
The period and skew configuration parameters affect each other. The default values are a period of 30 and a skew of 1.
|
|
|
|
It is highly recommended you do not change these unless you wish to set skew to 0.
|
|
|
|
|
2022-04-07 23:01:01 +00:00
|
|
|
These options affect security by changing the length of time a one-time password is valid for. The formula to calculate
|
|
|
|
the effective validity period is `period + (period * skew * 2)`. For example period 30 and skew 1 would result in 90
|
2021-12-01 12:11:29 +00:00
|
|
|
seconds of validity, and period 30 and skew 2 would result in 150 seconds of validity.
|
|
|
|
|
|
|
|
## System time accuracy
|
2021-09-17 04:44:35 +00:00
|
|
|
It's important to note that if the system time is not accurate enough then clients will seemingly not generate valid
|
|
|
|
passwords for TOTP. Conversely this is the same when the client time is not accurate enough. This is due to the Time-based
|
|
|
|
One Time Passwords being time-based.
|
|
|
|
|
|
|
|
Authelia by default checks the system time against an [NTP server](./ntp.md#address) on startup. This helps to prevent
|
|
|
|
a time synchronization issue on the server being an issue. There is however no effective and reliable way to check the
|
2021-12-01 12:11:29 +00:00
|
|
|
clients.
|
|
|
|
|
|
|
|
## Encryption
|
|
|
|
The TOTP secret is [encrypted](storage/index.md#encryption_key) in the database in version 4.33.0 and above. This is so
|
|
|
|
a user having access to only the database cannot easily compromise your two-factor authentication method.
|
|
|
|
|
|
|
|
This may be inconvenient for some users who wish to export TOTP keys from Authelia to other services. As such there is
|
|
|
|
a command specifically for exporting TOTP configurations from the database. These commands require the configuration or
|
|
|
|
at least a minimal configuration that has the storage backend connection details and the encryption key.
|
|
|
|
|
|
|
|
Export in [Key URI Format](https://github.com/google/google-authenticator/wiki/Key-Uri-Format):
|
|
|
|
|
|
|
|
```shell
|
|
|
|
$ authelia storage totp export --format uri
|
|
|
|
```
|
|
|
|
|
|
|
|
Export as CSV:
|
|
|
|
|
|
|
|
```shell
|
|
|
|
$ authelia storage totp export --format csv
|
|
|
|
```
|
|
|
|
|
|
|
|
Help:
|
|
|
|
|
|
|
|
```shell
|
|
|
|
$ authelia storage totp export --help
|
|
|
|
```
|
2022-04-07 23:01:01 +00:00
|
|
|
|
|
|
|
[RFC4226]: https://datatracker.ietf.org/doc/html/rfc4226
|
|
|
|
[RFC6238]: https://datatracker.ietf.org/doc/html/rfc6238
|