Authenticator desynchronization

Time-based authenticator applications

For time-based authenticator applications, the application settings define how often a new one-time password (OTP) is generated. This is the time step, which is the time unit for time-based authenticator applications.

Ideally, the OneSpan Authentication Server and authenticator clocks are perfectly synchronized (identical). In this case, the server could only consider the current time step, corresponding to one OTP value, and other OTP values could be rejected.

In real situations, the OneSpan Authentication Server and authenticator clock times are not identical.

A time drift between the clock times impacts the validity of OTP values. OneSpan Authentication Server applies a transparent time drift management to cope with small deviations and accept more than one OTP as a valid password during a given period. This period is called the time synchronization window.

However, if the time drift between two successful authentications is too large and outside the time synchronization window, then OneSpan Authentication Server cannot automatically update the time synchronization.

This time difference happens rarely, but can be caused by different factors, e.g.:

  • The system clock (GMT) set on the OneSpan Authentication Server instance is incorrect.
  • The authenticator has not been used for a very long time.
  • The authenticator has been stored under improper environment conditions, e.g. extreme humidity, temperature, etc before its first use.

Event-based authenticator applications

Ideally, the OneSpan Authentication Server and authenticator event counts are perfectly synchronized (identical). In this case, the server could only consider the current event value corresponding to one OTP.

In real situations, the OneSpan Authentication Server and authenticator events are likely to vary. OneSpan Authentication Server applies a transparent mechanism to synchronize the authenticator application internal event value and the server event value. The event synchronization window determines the maximum gap between those event values.

This event counter difference happens rarely, but can be caused by different factors, e.g.:

  • The user generated OTP values without a validation on the OneSpan Authentication Server instance.

Preventing desynchronization

  • To avoid too much time difference, authenticator users should use their authenticators regularly.
  • Users should be advised to always store their authenticators under proper environmental conditions.
  • Event-based OTP values should not be generated arbitrarily without proper validation by the server.