TOTP Multifactor Authentication

Time-based One-Time Passwords (TOTP)

ExpeDat and SyncDat have built-in support for Time-based One-Time Password (TOTP) Multifactor Authentication (MFA). This can be used with standard authenticator apps, including those from Microsoft and Google, to generate one-time codes for authenticating user sessions. See Tech Note 0039 for an overview of using TOTP with ExpeDat and SyncDat.

Multifactor Authentication is intended to verify that an authorized human operator is present. As such, some automation functions are not available when MFA is being used.

TOTP is enabled for a user by using the TOTP option in an AuthFile record for that username. The TOTP secret must be provided as a 16 character Base32 string. For example:

joey:3df7708aff91…71768b6eaa0:101:101:/home/joey:ReadOnly,RestrictHome,TOTP=R7EXAD4DPMK4M57Z

To use TOTP with SysAuth users, a Shadow Authentication record must be created for each user's secret.

Sessions

Clients will prompt for a TOTP code at the start of any TOTP enabled session. When a code has been validated, servedat will create a session that the client can use for further transactions without requiring new TOTP codes. The session may persist until either the client releases the session, the user record is reloaded, or the server is restarted. Up to 8 sessions may be created per user. Any more sessions will cause the oldest to be purged.

Sessions are specific to each server. Changing to a different server, including within a host group, will require starting a new TOTP session.

Errors

If a client attempts to access a TOTP enabled user account without providing a TOTP code, or a provided TOTP code is invalid, the MTP_APP_CHALLENGE error ("A valid MFA token is required") will be returned.

To prevent brute-force attacks on the TOTP code value, more than 10 failures within a one minute period will lock the account for at least one minute:

User temporarily disabled due to excessive TOTP failures

Continuing failures greater than 10 per minute will extend the lock indefinitely. If a user account appears to be locked for more than 10 minutes, check the server log for signs of unauthorized activity or runaway automation. Reloading the AuthFile, reloading the server configuration, or restarting the server will reset the lock.

Limitations

Only clients which support TOTP can be used with TOTP enabled accounts.

Passwords used with TOTP are limited to 63 UTF-8 bytes and must not contain semi-colon characters.