Zimbra Two Factor Authentication code(TOTP) does not appear to expire
Zimbra Two Factor Authentication code (TOTP) does not appear to expire
Problem
The Two Factor Authentication code can still be used even after its expiration.
Solution
Modify the "zimbraTwoFactorTimeWindowOffset" attribute at the global level in Zimbra. This attribute determines the number of windows to check when validating a TOTP code (NOW-n through NOW+n), and its default value is set to 1 minute.
# $ zmprov desc -a zimbraTwoFactorTimeWindowOffset zimbraTwoFactorTimeWindowOffset Determines the number of windows to check when trying to validate a TOTP code (NOW-n through NOW+n). This number should typically be small, but a minimum value of 1 is usually necessary to account for network latency and clock drift. See also: zimbraTwoFactorTimeWindowLength and https://tools.ietf.org/html/rfc6238#section-5.2 type : integer value : callback : immutable : false cardinality : single requiredIn : optionalIn : globalConfig flags : defaults : 1 min : 1 max : id : 1830 requiresRestart : since : 8.7.0,9.0.0 deprecatedSince :
However, due to network latency and clock drift, need to adjust this value.
To check the current value of this attribute run the following command:
$ zmprov -l gacf zimbraTwoFactorTimeWindowOffset
Change The value:
$ zmprov mcf zimbraTwoFactorTimeWindowOffset 1
Once this adjustment is made, the TOTP code will expire after one minute, providing better security by ensuring that expired codes cannot be used for authentication. It is worth noting that this attribute should typically have a small value, but a minimum of 1 is needed to account for network latency and clock drift. More information about this attribute can be found in https://tools.ietf.org/html/rfc6238#section-5.2.
Submitted by: Gopal Bhandari |