TOTP configuration synchronisation
The Veridium Authenticator provides out of the box support for TOTP registration during Veridium Authenticator mobile application enrolment and allows possibility to adopt configuration synchronisation.
The configuration refers to the following parameters:
OTP validity
OTP code algorithm
OTP code length.
Until version 3.7 any configuration changes required re-enrollment of the TOTP authenticator, if any of the parameters involved in the OTP code generation were changed as all the other decoupled OTP implementations. Since the mobile application is directly connected to the VeridiumID server and allows central management and policy enforcement, adding support for configuration synchronization will provide hooks for seamless migration for security or convenience improvements.
For example - having a live environment where the OTP validity was setup for 60 seconds may provide an inconvenient if the OTP is required for multiple authentications in a short time span and user is required to wait 60 seconds after each authentication for a new code to be generated. Using the synchronizable configuration, the OTP validity may be reduced to 30 seconds providing a better user experience, without impacting the active users and requirement for re-enrollment.
Functional overview
The following were taken into consideration to provide the best experience and overview during the configuration change:
Allow previous configuration (during the enrolment) to be used until all the active authenticators are synchronized. Having the TOTP may allow offline usage of a device and makes it unaware of the configuration changes, also allows backward compatibility with older application versions.
Provide insights regarding the new configuration adoption in statistics and reports.
Enforce a configuration migration deadline and reject authenticators that were not synchronized.
When the mobile device becomes online, the TOTP authenticator's configuration will be retrieved from server and compared to the current device’s active configuration. If any changes were detected, the mobile device will report to the server that the new configuration was acknowledged and will be used for OTP code generation. The VeridiumID server will save the date that the TOTP authenticator configuration confirmation was reported by the device.
Only after fetching and reporting the new configurations are successful, the mobile device will start using the new configuration for OTP generation. This mechanism will provide enough data to accomplish all the considerations mentioned above.
Implementation details
Continuous operation
In order to allow current enrollments to operate until the new configuration is enforced we can allow TOTP authenticators to generate codes as they were enrolled. For this to be possible we need to update all TOTP authenticators with a post deploy script to fill in details about the TOTP parameters.
Enforce authenticator configuration convergence
To allow administrators to enforce the new configuration upon all authenticators, we need to have a deadline by which the new parameters should be updated on all devices. This deadline will be added to the TOTP method configuration. Before this deadline, the TOTP authenticators will be validated against the parameters saved for each of them, parameters valid when they were enrolled. After this time, only the global configuration is considered valid and not-migrated authenticators will generate invalid codes, resulting in failed authentications.
Migration auditing
In order to provide visibility for the campaign progress, we will make the mobile devices report their acknowledgement of the configuration change. This translates into a server API call that will update the TOTP authenticator in the database with the new parameters and a “lastUpdateDate”.
Extracting reports from this table will allow to check what is the percentage of active devices that have updated their configuration related to TOTP.
Migrating existing users
The update should be followed by a post-upgrade script that populates the newly added fields in the database (otp_algorithm, otp_validity and otp_length) with default values of the global configuration.
Post-upgrade script steps:
From authentication_method table read the configuration for TOTP and extract the algorithm, validity and length. If the table does not contain this entry use the default values:
algorithm: SHA-512
validity: 30
length: 6
Iterate the entries in the totp table and update the algorithm, validity and length values using the values from step 1.
This script is only required for update to the version 3.7, the newly deployed environments will populate these attributes during the authenticator enrollment.