Nfactor Auth (Native OTP): User is able to login with expired passcodes generated through Citrix SSO App
Article ID: CTX280759
Updated On:
Description
User makes use of Citrix SSO App to generate OTP for passcode authentication
Apart from the current OTP seen on the app, user is able to login with the last 3 expired passcodes.
Resolution
We can modify the Native OTP token setting to customize the validity duration of the token.
In the design of Native OTP, we have a concept called leeway, which decides how long a token is valid for after the expiry. Citrix ADC has a leeway value of 3 by default.
This means any token is valid after and until 3 new tokens are generated, and hence each token is valid for 90s (3*30s).
Now if one does not want a token to be valid for 90 seconds, this can be changed by applying a nsapimgr knob.
"nsapimgr_wr.sh -ys arg1=1 -ys call=ns_otp_set_leeway -cores=all "
You can use this to set the value to 1 (Note: This cannot be set to 0 for now)
The value of arg1 specifies the number of leeway.
1 means the OTP is valid after 1*30s after token expiry,
2 means OTP is valid after 2*30s after token expiry and so on.
Maximum value of the arg1 is 10.
As per OTP design standards and taking into considerations factors such as Network latency, client and server time sync issues, we need to have a leeway of at least 1 (which means the last expired passcode will still work).
In the design of Native OTP, we have a concept called leeway, which decides how long a token is valid for after the expiry. Citrix ADC has a leeway value of 3 by default.
This means any token is valid after and until 3 new tokens are generated, and hence each token is valid for 90s (3*30s).
Now if one does not want a token to be valid for 90 seconds, this can be changed by applying a nsapimgr knob.
"nsapimgr_wr.sh -ys arg1=1 -ys call=ns_otp_set_leeway -cores=all "
You can use this to set the value to 1 (Note: This cannot be set to 0 for now)
The value of arg1 specifies the number of leeway.
1 means the OTP is valid after 1*30s after token expiry,
2 means OTP is valid after 2*30s after token expiry and so on.
Maximum value of the arg1 is 10.
As per OTP design standards and taking into considerations factors such as Network latency, client and server time sync issues, we need to have a leeway of at least 1 (which means the last expired passcode will still work).
Problem Cause
This is as per design
Was this article helpful?
Yes
No
Powered by
