keycloak-scim/docs/documentation/server_admin/topics/authentication/otp-policies.adoc


=== One Time Password (OTP) policies

{project_name} has several policies for setting up a FreeOTP or Google Authenticator One-Time Password generator.

.Procedure

. Click *Authentication* in the menu.
. Click the *Policy* tab.
. Click the *OTP Policy* tab.

.Otp Policy
image:images/otp-policy.png[OTP Policy]

{project_name} generates a QR code on the OTP set-up page, based on information configured in the *OTP Policy* tab. FreeOTP and Google Authenticator scan the QR code when configuring OTP.

==== Time-based or counter-based one time passwords

The algorithms available in {project_name} for your OTP generators are time-based and counter-based.

With Time-Based One Time Passwords (TOTP), the token generator will hash the current time and a shared secret.  The server validates the OTP by comparing the hashes within a window of time to the submitted value.  TOTPs are valid for a short window of time.

With Counter-Based One Time Passwords (HOTP), {project_name} uses a shared counter rather than the current time. The {project_name} server increments the counter with each successful OTP login. Valid OTPs change after a successful login. 

TOTP is more secure than HOTP because the matchable OTP is valid for a short window of time, while the OTP for HOTP is valid for an indeterminate amount of time. HOTP is more user-friendly than TOTP because no time limit exists to enter the OTP.

HOTP requires a database update every time the server increments the counter. This update is a performance drain on the authentication server during heavy load. To increase efficiency,  TOTP does not remember passwords used, so there is no need to perform database updates. The drawback is that it is possible to re-use TOTPs in the valid time interval. 

==== TOTP configuration options

===== OTP hash algorithm

The default algorithm is SHA1. The other, more secure options are SHA256 and SHA512.

===== Number of digits

The length of the OTP.  Short OTP's are user-friendly, easier to type, and easier to remember. Longer OTP's are more secure than shorter OTP's.

===== Look around window

The number of intervals the server attempts to match the hash. This option is present in {project_name} if the clock of the TOTP generator or authentication server becomes out-of-sync. The default value of 1 is adequate. For example, if the time interval for a token is 30 seconds, the default value of 1 means it will accept valid tokens in the 90-second window (time interval 30 seconds + look ahead 30 seconds + look behind 30 seconds). Every increment of this value increases the valid window by 60 seconds (look ahead 30 seconds + look behind 30 seconds).

===== OTP token period

The time interval in seconds the server matches a hash. Each time the interval passes, the token generator generates a TOTP.

===== Reusable code

Determine whether OTP tokens can be reused in the authentication process or user needs to wait for the next token.
Users cannot reuse those tokens by default, and the administrator needs to explicitly specify that those tokens can be reused.

==== HOTP configuration options

===== OTP hash algorithm
  
The default algorithm is SHA1. The other, more secure options are SHA256 and SHA512.

===== Number of digits

The length of the OTP.  Short OTPs are user-friendly, easier to type, and easier to remember. Longer OTPs are more secure than shorter OTPs.

===== Look around window
The number of previous and following intervals the server attempts to match the hash. This option is present in {project_name} if the clock of the TOTP generator or authentication server become out-of-sync. The default value of 1 is adequate. This option is present in {project_name} to cover when the user's counter gets ahead of the server.

===== Initial counter

The value of the initial counter.
otp policy 2016-05-17 15:34:02 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`=== One Time Password (OTP) policies`
otp policy 2016-05-17 15:34:02 +00:00
Addressing Server Admin review comments Closes #24643 Signed-off-by: AndyMunro <amunro@redhat.com> 2023-11-09 21:14:49 +00:00			`{project_name} has several policies for setting up a FreeOTP or Google Authenticator One-Time Password generator.`
otp policy 2016-05-17 15:34:02 +00:00
Addressing Server Admin review comments Closes #24643 Signed-off-by: AndyMunro <amunro@redhat.com> 2023-11-09 21:14:49 +00:00			`.Procedure`

			`. Click Authentication in the menu.`
			`. Click the Policy tab.`
			`. Click the OTP Policy tab.`

			`.Otp Policy`
Preparing Server Admin Guide for RHBK (#1690) Closes #1688 2022-10-05 18:43:15 +00:00			`image:images/otp-policy.png[OTP Policy]`
otp policy 2016-05-17 15:34:02 +00:00
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00			`{project_name} generates a QR code on the OTP set-up page, based on information configured in the OTP Policy tab. FreeOTP and Google Authenticator scan the QR code when configuring OTP.`
otp policy 2016-05-17 15:34:02 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`==== Time-based or counter-based one time passwords`
otp policy 2016-05-17 15:34:02 +00:00
Minor OTP section name change 2021-02-11 20:19:40 +00:00			`The algorithms available in {project_name} for your OTP generators are time-based and counter-based.`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
Minor OTP section name change 2021-02-11 20:19:40 +00:00			`With Time-Based One Time Passwords (TOTP), the token generator will hash the current time and a shared secret. The server validates the OTP by comparing the hashes within a window of time to the submitted value. TOTPs are valid for a short window of time.`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
Minor OTP section name change 2021-02-11 20:19:40 +00:00			`With Counter-Based One Time Passwords (HOTP), {project_name} uses a shared counter rather than the current time. The {project_name} server increments the counter with each successful OTP login. Valid OTPs change after a successful login.`
otp policy 2016-05-17 15:34:02 +00:00
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00			`TOTP is more secure than HOTP because the matchable OTP is valid for a short window of time, while the OTP for HOTP is valid for an indeterminate amount of time. HOTP is more user-friendly than TOTP because no time limit exists to enter the OTP.`

			`HOTP requires a database update every time the server increments the counter. This update is a performance drain on the authentication server during heavy load. To increase efficiency, TOTP does not remember passwords used, so there is no need to perform database updates. The drawback is that it is possible to re-use TOTPs in the valid time interval.`
otp policy 2016-05-17 15:34:02 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`==== TOTP configuration options`
otp policy 2016-05-17 15:34:02 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== OTP hash algorithm`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The default algorithm is SHA1. The other, more secure options are SHA256 and SHA512.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Number of digits`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The length of the OTP. Short OTP's are user-friendly, easier to type, and easier to remember. Longer OTP's are more secure than shorter OTP's.`

KEYCLOAK-18880 change "look ahead window" to "look around window" (#1350) Closes #1349 2022-01-05 19:07:10 +00:00			`===== Look around window`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
KEYCLOAK-18880 change "look ahead window" to "look around window" (#1350) Closes #1349 2022-01-05 19:07:10 +00:00			The number of intervals the server attempts to match the hash. This option is present in {project_name} if the clock of the TOTP generator or authentication server becomes out-of-sync. The default value of 1 is adequate. For example, if the time interval for a token is 30 seconds, the default value of 1 means it will accept valid tokens in the 90-second window (time interval 30 seconds + look ahead 30 seconds + look behind 30 seconds). Every increment of this value increases the valid window by 60 seconds (look ahead 30 seconds + look behind 30 seconds).
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== OTP token period`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The time interval in seconds the server matches a hash. Each time the interval passes, the token generator generates a TOTP.`
otp policy 2016-05-17 15:34:02 +00:00
Reuse of token in TOTP is possible 2022-08-19 16:47:07 +00:00			`===== Reusable code`

			`Determine whether OTP tokens can be reused in the authentication process or user needs to wait for the next token.`
			`Users cannot reuse those tokens by default, and the administrator needs to explicitly specify that those tokens can be reused.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`==== HOTP configuration options`
otp policy 2016-05-17 15:34:02 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== OTP hash algorithm`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The default algorithm is SHA1. The other, more secure options are SHA256 and SHA512.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Number of digits`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The length of the OTP. Short OTPs are user-friendly, easier to type, and easier to remember. Longer OTPs are more secure than shorter OTPs.`

Align naming of OTP policy window setting with actual semantics (#20469) (#21316) Closes #20469 2023-07-04 10:41:21 +00:00			`===== Look around window`
			`The number of previous and following intervals the server attempts to match the hash. This option is present in {project_name} if the clock of the TOTP generator or authentication server become out-of-sync. The default value of 1 is adequate. This option is present in {project_name} to cover when the user's counter gets ahead of the server.`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`===== Initial counter`
Keycloak 15698 (#47) * Rewords first 3 chapters * Rewrites flows module * Post kerberos rewording * x509 changes * Pre proof read * post visual review * post ccutil changes * Removing apostrophies * Post feedback changes * Post feedback rewording changes * Another minor change 2021-02-10 20:25:14 +00:00
			`The value of the initial counter.`