I have configured Google authenticator on Linux and my mfa is working fine, but according to me an MFA token should expire in 30 seconds but even after 30 seconds time I am able to use the token.
If I use the token then it is not reusable but if don't use it within my 30 seconds then I am able to use it after sometime also. Is this normal? I want my token to expire in 30 seconds even I used it or not used it. Can somebody help me on this?
Although your timestep might only be 30sec, the RFC specifies that the validating service should search the OTP value back and forth in time. This is recommended due to the drift of the clock. https://www.rfc-editor.org/rfc/rfc6238#section-6
This is why, most systems (including Google itself) allows one previous OTP, so while the code regenerates every 30 seconds, every OTP remains valid for 60 seconds.
You need to check your server-side settings
you must to set PeriodDiscrepancy to 0
Related
I have built a flutter app where user is created at backend WEB, in App users can only Login.
What I want to do is if the user attempts multiple failed attempt to login assume for 3 times, I want Login to get disabled for 5 minutes to the user.
help me how to approach it and the best suitable solution.
1.) Create a variable (global variable/ provider) "failed attempts".
2.) On failed attempt increase value =+ 1.
-> When user typed the correct password, delete the current count.
3.) When user failed 3 times -> save CurrentTime in the preference.
4.) Check it before attempting to login again.
-> Current time < (5 Minutes) compared to saved time
-> show popup "Sorry, you have to wait 5 minutes".
As nvoigt pointed out, you can/should store the variables in the backend, to increase security.
I would suggest using storage to store the DateTime of the last failed attempt after N number of failed attempts & checking if current time has passed X days or Y Hours or Z minutes and so on...
Note:
While I am suggesting using the storage for this, it is just out of convinience for you to implement & get going. It is not reliable as the user can change device's date & time settings or can reset/clear storage data.
In case if you are looking for a more secure approach with the same technique use something like firebase DB & Internet time instead of local storage & device time.
What I want to do is if the user attempts multiple failed attempt to login assume for 3 times, I want Login to get disabled for 5 minutes to the user.
This logic must be placed in the backend. When you call the login method on the backend, the backend has to keep track of how many unsuccessful tries there were and then lock the account for a specified time. Make sure you send a specific error code about the account being locked for the period to the frontend, so the frontend can display it and notify the user that trying to login is pointless.
There is no need to block the frontend from trying though. A malicious attacker will work around your protection anyway and a normal user may have reasons to try again (maybe with a different account).
You can use Timer class (link) and set needed delay to it. Block button at incorrect login action and after time runs out set it available again.
We have account linking turned on our action.
Looking to understand if a user does not use the action for a period of time say 30 days will they be automatically delinked/deregistered from action forcing them to delink?
We issue a refresh token that does not expire so there should be no expiry at least from our iDP provider.
No, even when a user doesn't use the action for like 30 days, Google will not automatically undo the account linking for the user.
I have over 20 applications utilizing ADFS SSO authentication. Last year the token signing certificate expired and I went through the whole sky is falling - chasing down 3rd party vendors to schedule the refreshing of the metadata files to try to make the transition to the new cert as seamless as possible. I have already added calendar reminders 3+ months before their next expiration but I would like to be a little bit more prepared and have a job/script that runs and send me an email when the certificate is 90+ days from expiration. Does anyone know of or have a script that could do accomplish that? Also, is there a way I could do the same per RPT signature certs? I currently have most if not all set to automatically update but would like the notification anyway if possible.
There are a few around e.g. this.
"This script will query AD FS certificates (via Get-AdfsCertficate) and Relying Party Trust certificates (via Get-AdfsRelyingPartyTrust) and check if the certificates expire within a user-defined threshold (or the default 30 days if not specified). It will then output details about expiring certificates, and, optionally, send an alert email."
We're building an app that uses the API v2 to interact with Watson Assistant. We're aware that the "state" of the conversation (among others: the position in the dialog tree) is now kept on the service side using the session_id key.
The problem: the session expires (5 to 60 minutes depending on the pricing plan).
Is there a way to either resurrect an expired session or save the conversation state so that it can be restored ?
We've tried to save and restore the global & skills contexts but they don't hold the conversation state.
Thanks for your help.
The current inactivity timeout period is plan-specific
- lite and standard 5 minutes
- plus and premium 1 hour
In the coming days, you will be able to change that value for plus and premium up to 24 hours. Lite and Standard you will only be able to decrease to a lower value if you want to close sessions faster.
You can always save context at the application level but currently there is not a way under the V2 API to save where the user is in the dialog so that you can pass it back after exceeding the allowed session inactivity timeout period.
Complementing what #oscar.ny mentioned, it's also plan-specific and you could potentially change the timeout timing on the Settings -> Timeout limit field -> Change the value and close, it saves automatically.
Something that I've done before in the past was sending an empty message when the event of 5min inactive happened. This event would call the function that would hit the API message method to send an "Are you still here, I was talking about xyz". Where xyz was the latest message sent to the user to maintain the session.
Ref:
change Timeout limit
In my app, I get Lync Presence of our employees through UCWA. It works fine, but I need to knock to Lync with reportMyActivity every 3-4 minute.
I don't need to get presence info at night when employees are not at work, so I stop reportingMyActivity at the end of the working day and resume at it's beginning. Then trying to extend presence subscription, and if I get 404, I create new presence subscription. But no presence updates after those manipulations.
Is it designed to work this way? How could I avoid reportingMyActivity at night?
If you don't do reportMyActivity your Application will be drained, because assumed inactive.
I think you only have two options then:
Keep doing reportMyActivity regurarly also at night, you'll just stop extending presence subscription. Very likely you'll have to manage access token expiration too, which is normally 8 hours valid
You let the App shut down, and a complete new token acquisition, Application creation, presence subscription flow will start next morning