2020-02-29 00:43:59 +00:00
|
|
|
---
|
|
|
|
layout: default
|
2021-02-12 05:59:42 +00:00
|
|
|
title: Time-based One-Time Password
|
2020-02-29 00:43:59 +00:00
|
|
|
parent: Configuration
|
2021-09-17 04:44:35 +00:00
|
|
|
nav_order: 16
|
2020-02-29 00:43:59 +00:00
|
|
|
---
|
|
|
|
|
2021-02-12 05:59:42 +00:00
|
|
|
# Time-based One-Time Password
|
2020-02-29 00:43:59 +00:00
|
|
|
|
2021-04-11 11:25:03 +00:00
|
|
|
Authelia uses time based one-time passwords as the OTP method. You have
|
2021-02-12 05:59:42 +00:00
|
|
|
the option to tune the settings of the TOTP generation, and you can see a
|
2020-03-25 01:48:20 +00:00
|
|
|
full example of TOTP configuration below, as well as sections describing them.
|
2020-02-29 00:43:59 +00:00
|
|
|
|
2021-04-11 11:25:03 +00:00
|
|
|
## Configuration
|
2020-04-11 04:46:07 +00:00
|
|
|
```yaml
|
|
|
|
totp:
|
|
|
|
issuer: authelia.com
|
|
|
|
period: 30
|
|
|
|
skew: 1
|
|
|
|
```
|
|
|
|
|
2021-04-11 11:25:03 +00:00
|
|
|
## Options
|
|
|
|
|
|
|
|
### issuer
|
|
|
|
<div markdown="1">
|
|
|
|
type: string
|
|
|
|
{: .label .label-config .label-purple }
|
|
|
|
default: Authelia
|
|
|
|
{: .label .label-config .label-blue }
|
|
|
|
required: no
|
|
|
|
{: .label .label-config .label-green }
|
|
|
|
</div>
|
2020-03-25 01:48:20 +00:00
|
|
|
|
|
|
|
Applications generating one-time passwords usually display an issuer to
|
|
|
|
differentiate applications registered by the user.
|
|
|
|
|
|
|
|
Authelia allows customisation of the issuer to differentiate the entry created
|
2020-02-29 00:43:59 +00:00
|
|
|
by Authelia from others.
|
|
|
|
|
2020-03-25 01:48:20 +00:00
|
|
|
## Period and Skew
|
|
|
|
|
|
|
|
The period and skew configuration parameters affect each other. The default values are
|
|
|
|
a period of 30 and a skew of 1. It is highly recommended you do not change these unless
|
|
|
|
you wish to set skew to 0.
|
|
|
|
|
|
|
|
The way you configure these affects security by changing the length of time a one-time
|
2021-04-11 11:25:03 +00:00
|
|
|
password is valid for. The formula to calculate the effective validity period is
|
|
|
|
`period + (period * skew * 2)`. For example period 30 and skew 1 would result in 90
|
2020-03-25 01:48:20 +00:00
|
|
|
seconds of validity, and period 30 and skew 2 would result in 150 seconds of validity.
|
|
|
|
|
|
|
|
|
2021-04-11 11:25:03 +00:00
|
|
|
### period
|
|
|
|
<div markdown="1">
|
|
|
|
type: integer
|
|
|
|
{: .label .label-config .label-purple }
|
|
|
|
default: 30
|
|
|
|
{: .label .label-config .label-blue }
|
|
|
|
required: no
|
|
|
|
{: .label .label-config .label-green }
|
|
|
|
</div>
|
2020-03-25 01:48:20 +00:00
|
|
|
|
|
|
|
Configures the period of time in seconds a one-time password is current for. It is important
|
|
|
|
to note that changing this value will require your users to register their application again.
|
|
|
|
|
|
|
|
It is recommended to keep this value set to 30, the minimum is 1.
|
2021-04-11 11:25:03 +00:00
|
|
|
|
|
|
|
### skew
|
|
|
|
<div markdown="1">
|
|
|
|
type: integer
|
|
|
|
{: .label .label-config .label-purple }
|
|
|
|
default: 1
|
|
|
|
{: .label .label-config .label-blue }
|
|
|
|
required: no
|
|
|
|
{: .label .label-config .label-green }
|
|
|
|
</div>
|
2020-03-25 01:48:20 +00:00
|
|
|
|
|
|
|
Configures the number of one-time passwords either side of the current one that are
|
2021-04-11 11:25:03 +00:00
|
|
|
considered valid, each time you increase this it makes two more one-time passwords valid.
|
|
|
|
For example the default of 1 has a total of 3 keys valid. A value of 2 has 5 one-time passwords
|
2020-03-25 01:48:20 +00:00
|
|
|
valid.
|
|
|
|
|
2021-04-11 11:25:03 +00:00
|
|
|
It is recommended to keep this value set to 0 or 1, the minimum is 0.
|
2021-09-17 04:44:35 +00:00
|
|
|
|
|
|
|
## System time accuracy
|
|
|
|
|
|
|
|
It's important to note that if the system time is not accurate enough then clients will seemingly not generate valid
|
|
|
|
passwords for TOTP. Conversely this is the same when the client time is not accurate enough. This is due to the Time-based
|
|
|
|
One Time Passwords being time-based.
|
|
|
|
|
|
|
|
Authelia by default checks the system time against an [NTP server](./ntp.md#address) on startup. This helps to prevent
|
|
|
|
a time synchronization issue on the server being an issue. There is however no effective and reliable way to check the
|
|
|
|
clients.
|