Is there a way to disable the Authentication Managers rejection of passcode re-use? I understand the reasoning, someone has 60 seconds to use your sniffed passcode to gain access elsewhere, but on devices that require the token and a second authentication to get to the admin/enable console, it is an annoyance to have to sit there and wait for the next code to present itself. Are there alternatives? (We use AM behind a Cisco ACS server if that matters)
Hello,
No it is not possible to reuse a tokencode that has already been seen by the system, in any way.
Fixed passcodes can be reused but of course are not secure, and only good for testing, never good
for actual day-to-day use. A list of emergency fixed passcodes can be hammered in back-to-back, but that also
means an admin is flagging the token as lost, generating a list, and giving it to the end user. That is also
much more pain for the admin and user.
The best thing possible is, if these are software tokens, and if the target device type can do 30 second tokens,
then generate and distribute 30 second interval software tokens to the end user.
As Ed pointed out, several of our customers who have a similar situation to you, where they need to authenticate securely in rapid succession (administrators of 100s of network devices like switches often need to check dozens at a time) use 30-second tokens, and I believe you can order 30-second hardware tokens so ask your Sale contact if you prefer FOBs.
You do need to be stricter on how accurate your time is, on both the AM server and your software tokens, because the window (not Microsoft) for a successful authentication token is plus or minus one interval. So a 60 second token has a 3 minute window, the 'right' now minute, the previous minute and then next minute, will all be acceptable to the AM servers for authentication. This collapses to a 90 second window with 30 second tokens. When you authenticate with a tokencode that close to the plus or minus 1 interval but not in the plus or minus 1 interval, in the 2-3 interval range, AM will prompt you for a Next Token Code, NTC. Entering NTC often confuses new or less then adequately trained users and generates Help Desk Calls, so I personally do not recommend 30-second tokens for regular users.
In general, smart phones typically have very accurate time from their Cell towers, PCs have as accurate time as the PC is configured for, typically their NTP server (I've had cases where the PC time was off by exactly two years) and Hardware tokens are as accurate as their batch manufacturing dates, often very good to excellent but not perfect.
Thank you both for your response.
Hello,
No it is not possible to reuse a tokencode that has already been seen by the system, in any way.
Fixed passcodes can be reused but of course are not secure, and only good for testing, never good
for actual day-to-day use. A list of emergency fixed passcodes can be hammered in back-to-back, but that also
means an admin is flagging the token as lost, generating a list, and giving it to the end user. That is also
much more pain for the admin and user.
The best thing possible is, if these are software tokens, and if the target device type can do 30 second tokens,
then generate and distribute 30 second interval software tokens to the end user.