rchouinard / rych-otp

93%

Pull #9

travis-ci

Allow tokens to drift away from real time

Over a period of years, the clock in a physical OTP device drifts slowly away from the exact time because it has no way of syncing with the internet (!). We use Feitian c200 tokens. The manufacturer spec is +- 3 periods (of 30 sec each) _per year_. Most tokens are within that tolerance, but a good number fall outside that. We have about 1200 tokens in use at the moment.

To handle this, we need to store the current token offset in a database along with the token secret. The pull request allows us to pass that offset back in so that a token that has drifted well away from real time can still be used to authenticate. At authentication time, we calculate the current offset and use it to re-calibrate the token. So no matter how much the token drifts over time, if the user keeps using it regularly (every 6 months) they can still log in with it.

We also built a tool that allows users to resync their token: it sets the offset to zero, then accepts a very wide window (about 10 minutes either side) to calculate the initial offset. Once the offset is calculated and saved back to the database, the normal window size of 2 applies for all future logins.

14 of 14 new or added lines in 1 file covered. (100.0%)

161 of 174 relevant lines covered (92.53%)

54.55 hits per line