Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Validate TOTP Password Extended Operation Handler can be used to validate a TOTP password (time-based one-time password as described in RFC 6238) for a specified user without actually authenticating as that user. Since no authentication (and therefore no password policy processing) is performed, this is primarily intended for obtaining additional assurance about the identity of an already-authenticated user.
The Validate TOTP Password Extended Operation Handler component inherits from the Extended Operation Handler
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | None |
| enabled | |
| shared-secret-attribute-type | |
| time-interval-duration | |
| adjacent-intervals-to-check | |
| prevent-totp-reuse |
| Description | A description for this Extended Operation Handler |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server). |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The name or OID of the attribute that will be used to hold the shared secret key used during TOTP processing. The key must be base32-encoded, but must not be obscured in any other way. It is strongly recommended that the specified attribute type be configured as a sensitive attribute in the server to prevent clients from being able to retrieve its value. |
| Default Value | ds-auth-totp-shared-secret |
| Allowed Values | The name or OID of an attribute type defined in the server schema. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The duration of the time interval used for TOTP processing. In order for clients to authenticate successfully, they must be configured to use the same time interval as the server. The time interval should be large enough to allow a user to enter the generated one-time password within the interval, but small enough to minimize the length of time during which that one-time password could be re-used. Most implementations use a default interval duration of 30 seconds, and deviating from that may limit the set of tools which may be used to generate one-time password values. |
| Default Value | 30 seconds |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The number of adjacent time intervals (both before and after the current time) that should be checked when performing authentication. It is recommended that a small number of adjacent intervals be supported to allow for clients whose clocks may be slightly skewed from that of the server, and also for cases in which the time interval changes between the time the client sent the request and the server was able to process it. However, checking too many adjacent intervals can adversely impact performance because the server will have to check up to one more than twice the configured number of adjacent intervals (one for the current interval, one for each adjacent interval before the current interval, and once for each adjacent interval after the current interval). |
| Default Value | 2 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether to prevent clients from re-using TOTP passwords. Because a TOTP password is valid for a period of time, it is possible that a malicious individual with the ability to observe the communication between the client and the server (or is able to somehow otherwise discover both a user's static password and TOTP password) could reuse the information to authenticate as that user before the TOTP password's window of validity has expired. If set to true, the server will check this operational attribute when processing a validate TOTP password extended request and will reject the request if the provided TOTP password matches the most recently-used value. If the extended operation indicates that the TOTP password is valid, then the user's entry will be updated so that the TOTP password used will not be allowed for subsequent validate TOTP password attempts. Note that setting this value to true will cause a write to the target user's entry for every successful validate TOTP password operation, and will prevent the validate TOTP password operation from being invoked multiple times for the same user within the period specified by the time-interval-duration property. As such, some environments may not wish to prevent TOTP password reuse because the negative effects may outweigh the additional security benefit. If this configuration setting is changed, you will probably also want to make the corresponding change to the prevent-totp-reuse property in the UNBOUNDID-TOTP SASL mechanism handler. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | If you change the TOTP reuse behavior in the validate TOTP extended operation handler, you will probably want to make the corresponding change to the prevent-totp-reuse property in the UNBOUNDID-TOTP SASL mechanism handler. |
To list the configured Extended Operation Handlers:
dsconfig list-extended-operation-handlers
[--property {propertyName}] ...
To view the configuration for an existing Extended Operation Handler:
dsconfig get-extended-operation-handler-prop
--handler-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Extended Operation Handler:
dsconfig set-extended-operation-handler-prop
--handler-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Validate TOTP Password Extended Operation Handler:
dsconfig create-extended-operation-handler
--handler-name {name}
--type validate-totp-password
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Extended Operation Handler:
dsconfig delete-extended-operation-handler
--handler-name {name}