Description: lack of time synchronization on the Access Server or clients can prevent TOTP code verification.
This document explains the importance of accurate time for TOTP:
With correct and accurate time on both sides, the TOTP codes can be verified; otherwise, they cannot.
By default most recent client operating systems will have NTP clients configured and active, but it's possible that any of them could be behind firewalls which do not allow synchronization to occur. Mac OS comes preconfigured to use the NTP server at ntp://time.apple.com to keep the time accurate. Windows 10 and later are preconfigured to use ntp://time.windows.com for synchronization.
Our Access Server OS images for cloud and virtual machines are preconfigured to use systemd-timesyncd(8) which is preconfigured to use ntp://ntp.ubuntu.com for synchronization. This is probably also the case on any recent Ubuntu version. The timedatectl(1) utility can be used to check:
Things to check if your Access Server host does not have the system clock synchronized:
- The upstream firewall[s] allow it to send packets out to UDP port 123
- Also check that these NTP packets are not redirected to a non-functioning or non-synchronized NTP server
- The DNS resolution for ntp.ubuntu.com is working properly
dig +short ntp.ubuntu.com
- (In April 2022 I get four ipv4 host addresses all in 91.189.x.x and two ipv6 in 2001:67c:1560:8003::x)
- Check your own firewall to see that UDP port 123 is allowed out (which it is, if Access Server is allowed to maintain the firewall rules, and which we recommend)
On the clients, the things to check vary. For Mac OS, see Date and Time in System Preferences. For Windows, click on the clock and select "Change date and time settings"; then "Internet Time".
Client-side time synchronization issues might be difficult to resolve, of course. If a user is unable to correct their synchronization issues, they could check to see if their TOTP authenticator app supports a "push" mechanism. With "push" notifications, the client's own system time is irrelevant. But of course in all cases the server's system time must be accurate.
If you have additional questions please submit a Support ticket.