As we are integrating Thinktecture identity server 3 with Microsoft ASP.NET Identity 2.1 we managed to configure and enable 2FA (Tow Factor Authentication) for our clients. The problem is that default implementation of MS uses TOTP and its valid time is 180 seconds by default. for some other applications it migt be acceptable, but for as maximum time Those TOTP codes are valid is no more than 30 second. We could not find a way to configure this propertyfor ASP.NET Identity. Can anyone help me out there to change its default value from 180 seconds down to the 30 seconds?
Asked
Active
Viewed 364 times
1 Answers
0
Sadly RFC6238 implementation in Asp.Net identity is internal and has hardcoded timespam. (L. 15). But having the sourcecode of RFC6238 and of TotpSecurityStampBasedTokenProvider it should be easy to implement your custom TOTP with 30 sec. window.
Anyway, in RFC6238 section 6 there is a recomendation about validate backward and/or forward token because possible "out of synch" of the token generator in case of a external app or server like, i.e., Google Authenticator.
This would mean the validator could perform a validation against the
current time and then two further validations for each backward step
(for a total of 3 validations). Upon successful validation, the
validation server can record the detected clock drift for the token
in terms of the number of time steps. When a new OTP is received
after this step, the validator can validate the OTP with the current
timestamp adjusted with the recorded number of time-step clock drifts for the token.
So 30 sec. window turns into about 90 seconds of validation.
