What is Time Drift ?
OTP codes created using a time-based solution (e.g. using a SafeID/Classic token) will obtain the current time using an internal clock that updates its time based upon oscillations of a quartz crystal. The crystal allows the device to keep relatively accurate time, but you can still expect the clock to drift by approximately one second every three days. Over the space of a year this drift can vary, but you expected time drift would be in the order of a couple of minutes.
If you are using the clock of a non-network connected PC or laptop, then the expected drift will be more likely to be 6 minutes per year or more. For networked computers this drift can be mitigated by ensuring that the computers clock is synchronised either with internet time, or with the time on the domain controller.
Time drift is not expected on mobile devices as they tend to have clocks synchronised with the mobile network carrier (and therefore should be expected to be within a few seconds of true time).
Time drift on the authentication server is also possible, but can be resolved by ensuring the servers clock is synchronised with an external reliable time server.
If the difference reported by the clocks on the client and on the server differ by more than the size of the time window (normally 30 or 60 seconds), then the OTP code generated by the client will not match the OTP code generated by the authentication server, and authentication may fail.
How do we check for time drift on hardware tokens ?
When the OTP code generated by a hardware token is failing to be accepted by the authentication server, it is possible to check the extent of any existing time drift using the following procedure;
- Physical hardware TOTP tokens (such as the SafeID Classic token) are fully self-contained authentication devices with built in batteries that power both the LCD display, and the token's internal clock.
When the tokens are used they produce a 6 digit OTP code based upon the seed data that the token was programmed with, and the current time (as reported by the token's internal clock).
Token seed files are sent separate to the tokens themselves, and can be requested online (see How to request token seed or secret file for details on how to request this file).
Once you have both the physical token and the seed file you can test that the OTP codes generated by the device are correct using the following procedure;
Testing the generated OTP codes
In order to test the token we first need to extract the secret data for the token by searching the seed file for the record with a matching serial number;
The seed may have been requested in a number of formats, but for the purposes of this test we need the seed base32 encoded (digits "2" to "7 "and any letters of the alphabet).
If you received the seed data in Hex format (letters "A" to "F" and any digit) then you can convert the seed to base32 using the following online tool:
Once you have the base32 encoded secret navigate to the following online TOTP and replace the displayed secret key with the base32 encoded secret key for the token you are testing;
It is probable that your token uses 60 second windows (Time Interval in the above example), ensure that the Token Period in the online generator is updated to match the time period for your token.
The online generator will now be displaying 6 digit OTP codes that update with the same frequency your hardware token does. Turn on the token and check that the two codes match.
Determining the extent of any time drift
If the previous test produced codes that do not match then a few possible causes
- The token is not time based (TOTP) but event based (HOTP)
- The seed supplied is from a different token from your seed file (double check the serial number on the back of the token matches the extracted seed)
- The supplied token period is wrong (try the test again using both 30 and 60 second time periods)
- The token is functional, but there is some time drift
If time drift is involved we perform a different test to check the extent of time drift.
First download and run the SafeID Diamond Programming Tool;
This tool was primarily designed to program SafeID/Diamond tokens, but can also be used to test pre-programmed tokens for time drift.
The app will need to be run on a windows system and should only be run on a system that has had its clock accurately set (we suggest you synchronise you clock with internet time but if you can manually correct the clock within a few seconds this will be fine).
Click on the
button, and at the prompt "Seed: (base32)" copy and paste the base32 encoded seed data for your token, and set the "Time Window" and "Display Time" to match the window size of your token (normally 60 secpmds);After entering the seed data click on the
button and a new window titled "One-Time Password" should open;
Using the horizontal scroll bar if necessary, view the list of OTP codes that are generated and compare them with the code shown on your hardware token, you will be able to determine the extent of time drift on the token.
If there is a small amount of time drift you should find that the code displayed on the token is also listed in the list of OTP codes shown on this window.
What do we do if there is time drift ?
There are two main solutions to resolve issues caused by time drift;
- Clocks that have drifted are adjusted to the correct time.
- The drift is identified (typically by asking for 2 or more consecutive OTP codes) and once identified the drift is stored and accounted for when the next authentication takes place.
When authentication apps are used to produce the OTP code (such as SafeID authenticator and MobileID authenticator), then the clock is provided by the host computer, and when using an app on a PC, tablet or laptop, then the clock can normally be corrected by synchronising time with an internet based time server.
Introduction
On windows based PC's, laptops and tablets the time is normally obtained from a quartz crystal based clock that is maintained by a lithium ion battery on the motherboard of your computer.
In general you can expect time drift of 2 or more seconds per day (compared to about 1 second every 3 days from a typical hardware token), but can be greatly improved if the PC is automatically synchronised with an external source (either an internet time server or the clock on the local domain controller).
Correcting the time on a windows computer
It is possible to identify the correct time (accurate to the second) by opening a windows browser to an online timer server (see examples below);
Once you have accessed the external time source you can then use this resource to check the accuracy of the clock on your local computer.
Launch the control panel by (press
, type "control panel" then click 
)
From the control panel click on the
icon
Select the "Date and Time" tab to display the date and time, then compare this time with the time shown from the external time server;
Ideally the two times should be within a second or two of each other but if there is significant drift you can correct the time by either using the
button, or by selecting the "Internet Time" tab, and synchronising with an internet time server (example below);
Related Articles
For hardware tokens (such as the SafeID range of TOTP tokens), the internal clock may only be corrected if the token is a programmable token, and can be corrected using the following procedure;
Introduction
As with pre-programmed hardware tokens, programmable tokens have an internal clock that is reliant on an internal quartz crystal to maintain time accuracy, but over time is still subject to a degree of time drift, but unlink pre-programmed hardware tokens it is possible to correct the internal clock on a programmable hardware token.
Preparation for correcting the clock on a programmable token
Before you are able to correct the clock on a programmable token you will need to make the following preparations;
- Install and run the SafeID diamond programming app (available for Windows, Android and iOS versions),
- If you are are using a windows based programming app you will need to ensure that the clock on your PC is set as accurately as possible.
Introduction
On windows based PC's, laptops and tablets the time is normally obtained from a quartz crystal based clock that is maintained by a lithium ion battery on the motherboard of your computer.
In general you can expect time drift of 2 or more seconds per day (compared to about 1 second every 3 days from a typical hardware token), but can be greatly improved if the PC is automatically synchronised with an external source (either an internet time server or the clock on the local domain controller).
Correcting the time on a windows computer
It is possible to identify the correct time (accurate to the second) by opening a windows browser to an online timer server (see examples below);
Once you have accessed the external time source you can then use this resource to check the accuracy of the clock on your local computer.
Launch the control panel by (press
, type "control panel" then click )From the control panel click on the
icon Select the "Date and Time" tab to display the date and time, then compare this time with the time shown from the external time server;
Ideally the two times should be within a second or two of each other but if there is significant drift you can correct the time by either using the
button, or by selecting the "Internet Time" tab, and synchronising with an internet time server (example below);Related Articles
- You will need to obtain the the seed details that were originally used to program the token (a security provision requires that seed details are sent whenever the token clock is updated).
Synchronising the token's clock
Once the necessary preparations have been performed you should launch the SafeID Diamond Programming tool and select the option for token clock synchronisation.
- If you are running the windows version of the app, then the option will be labelled "Sync Token Clock";
- If you are running the Android or iOS versions of the app, then the option will be labelled "Synchronise Token Clock";
Once you have selected the synchronise token clock option you will need to manually enter the token details (seed/secret, time window settings etc.) prior to reburning your token.
Specific instructions for manual entry of the seed details and the steps necessary for burning the programmable tokens can be found in the following guide;
Related Articles
If you are not able to correct the clock on your device, then you need the server to account for your existing time drift, and this can often be achieve by performing a time synchronisation between the server and the token.
Time synchronisation for pre-programmed hardware tokens will occur either during the registration process of the token (for example when registering a token with azure), or using a separate process provided by the authentication server (where typically two consecutive OTP codes will be requested).
Recommendations
Given time drift occurs on hardware tokens regardless of use, we suggest registering you token with you authentication server within the first year of purchase. The majority of the hardware tokens we supply are programmed with 60 second time windows, and most authentication servers can deal with a few time windows of drift prior to registration. When registering older tokens with azure we suggest manual registration rather than bulk registration.
If your OTP codes are produced by an app running on windows, then ensure the clock on your computer is automatically synchronised with an external and reliable time server.