What is Time Drift ?
OTP codes created using a time-based solution (e.g. using a SafeID/Classic token) will obtain the current time using an internal clock that updates its time based upon oscillations of a quartz crystal. The crystal allows the device to keep relatively accurate time, but you can still expect the clock to drift by approximately one second every three days. Over the space of a year this drift can vary, but you expected time drift would be in the order of a couple of minutes.
If you are using the clock of a non-network connected PC or laptop, then the expected drift will be more likely to be 6 minutes per year or more. For networked computers this drift can be mitigated by ensuring that the computers clock is synchronised either with internet time, or with the time on the domain controller.
Time drift is not expected on mobile devices as they tend to have clocks synchronised with the mobile network carrier (and therefore should be expected to be within a few seconds of true time).
Time drift on the authentication server is also possible, but can be resolved by ensuring the servers clock is synchronised with an external reliable time server.
If the difference reported by the clocks on the client and on the server differ by more than the size of the time window (normally 30 or 60 seconds), then the OTP code generated by the client will not match the OTP code generated by the authentication server, and authentication may fail.
How do we check for time drift on hardware tokens ?
When the OTP code generated by a hardware token is failing to be accepted by the authentication server, it is possible to check the extent of any existing time drift using the following procedure;
- When a token is not producing OTP codes that match those generated using an online TOTP generator (using the seed/secret and token period for your pre-programmed token), then it is possible that the built-in clock on the pre-programmed token has drifted from the actual time.
Time drift on a pre-programmed token is to be expected, and token clocks will typically drift by approximately 1 minute every 6 months since purchase (the amount of drift can vary, but this is a good rule of thumb).
How time drift affects tokens used for Azure AD
If your token has less than 10 minutes of drift, then it is still likely that the token can be registered for use with authentication servers (such as those used by Microsoft for Entra and Office 365) provided. you perform a manual activation of the token (see the "Activate Tokens" section of the following wiki guide);
Once the token has been manually activated, and provided the token is used more than once every few months, then any additional drift is likely to be accounted for (most servers follow the full RFC 6238 guidance that caters for addition drift on hardware tokens after registration).
Testing the Tokens using an online page
One method we can use to check for time drift on our hardware tokens is to use an online TOTP generator to validate the OTP codes produced by our tokens.
- When you purchase TOTP hardware tokens, they will arrive with seed data pre-programmed in to the token.
Before tokens are used with MFA services (such as Microsoft Entra), you will need to obtain the seed data (procedure below);
You will receive the seed data in a CSV file. Search for the Secret Key that matches the serial number of the token you are testing (Azure example below);
Once you have the identified the secret key for your token you will be ready to test the OTP codes that it produces using our OATH TOTP Token Generator
How to generate OTP codes using our online Oath TOTP Token Generator
First navigate to https://support.deepnetsecurity.com/tools/otp/totp.asp
- At "Secret Key", fill in the secret key (seed) data that matches the serial number of the token you are testing
- At "Secret Encoding Format", select the format that matches the format in your CSV file (for azure this will be Base32)
- At "OTP Length", select "6 digits"
- At "Hash Algorithm", select "SHA-1"
- At "Time Interval", select either "30 seconds" or "60 seconds" (this will depend upon use - e.g. for Azure you will be using 60 second intervals, but if you are emulating an authentication app you will probably need this set to 30 seconds).
When you have supplied all the details above click
, and OTP codes will now start to be generated using the supplied seed data;
If at this point the code generated do not appear to match the codes generated on the token (the one with the matching serial number), then you should first check that the parameters supplied on this page match those in your seed data file.
If after double checking the parameters the generated OTP code still does not match then you may want to check the physical token for time drift using our CHECK CLOCK DRIFT tool.
Determining the extent of drift using the "Check Clock Drift" tool
Whilst our online testing TOTP generator can be used to confirm if time drift exists on the token, if drift is detected, then we still need to identify how much the clock on the token has drifted.
Fortunately, we do have a tool that can be used for this task - the CHECK CLOCK DRIFT tool;
The following procedure provides instruction on how to check the extent of time drift on a token;
To use the tool navigate to https://support.deepnetsecurity.com/tools/otp/check-clock-drift.asp then supply the token details for the token to be tested then click
If there is no drift for the tested token you will see confirmation as per the following example;
If drift is detected you will be notified of the number of time windows of drift that were detected for the tested token;
Real World Example
If there is a small amount of time drift you should find that the code displayed on the token is also listed in the list of OTP codes shown on this window.
In this test we will identify the extent of drift on a SafeID Classic token with serial number "102601103200"
The following XML file was obtained for this token;
<?xml version="1.0"?>
<data>
<header>
<manufacturerCode>DN</manufacturerCode>
<productCode>ST</productCode>
<encrypt>NONE</encrypt>
<encode>HEX</encode>
<digits>6</digits>
<timeWindow>60</timeWindow>
<crypto>HmacSHA1</crypto>
</header>
<tokens>
<token>
<serial>102601103200</serial>
<seed>7952F56EC78D37D6225490ED102665C0131D058E</seed>
</token>
</tokens>
</data>After checking the serial number at the back of our token matches the serial number in the source file, we find that the seed for this token was supplied in hex format with a value of "7952F56EC78D37D6225490ED102665C0131D058E".
We now navigate to https://support.deepnetsecurity.com/tools/otp/check-clock-drift.asp, select the product "SafeID/Classic", select Secret Encode "HEX" and supply the current OTP code on our token;
After clicking on the
button we are then notified of any drift identified on that token.
What do we do if there is time drift ?
There are two main solutions to resolve issues caused by time drift;
- Clocks that have drifted are adjusted to the correct time.
- The drift is identified (typically by asking for 2 or more consecutive OTP codes) and once identified the drift is stored and accounted for when the next authentication takes place.
When authentication apps are used to produce the OTP code (such as SafeID authenticator and MobileID authenticator), then the clock is provided by the host computer, and when using an app on a PC, tablet or laptop, then the clock can normally be corrected by synchronising time with an internet based time server.
Introduction
On windows based PC's, laptops and tablets the time is normally obtained from a quartz crystal based clock that is maintained by a lithium ion battery on the motherboard of your computer.
In general you can expect time drift of 2 or more seconds per day (compared to about 1 second every 3 days from a typical hardware token), but can be greatly improved if the PC is automatically synchronised with an external source (either an internet time server or the clock on the local domain controller).
Correcting the time on a windows computer
There are many possible solutions to identifying and correcting the clock on your local computer, but one of the simplest is by using the service provided by time.is
After opening a browser window to the TIME.IS web page you will be presented with a clear indication of any drift between you computers clock and the remote time server;
As can be seen in the above example the test computer was less that 1 second out when compared with the remote time server.
If significant time drift is detected, you would be advised to configure your computer to automatically update the clock using and external time server.
You can correct the system clock on the PC using either the following methods;
Launch the control panel by (press
, type "cmd" then click 
)
The command prompt window will now open;
Issue the command "Time", then at the prompt "Enter the new time:" supply the time currently show on the TIME.IS web page
Launch the control panel by (press
, type "control panel" then click )
From the control panel click on the
icon
To update the clock manually, select the "Date and Time" tab to display, then click on
;
Alternatively, you can click on the
tab, then use the 
button to synchronise with an external time server using the 
button (example below);
Launch the systems settings window (by pressing
), then select "Time & language");
The heading will now change to "Time & language", click on the section "Date & time";
Ensure the "Set the time automatically" option is turned on;
Once this option has been enabled you will be able to synchronise the PC's clock with the external time server by clicking on the "Sync now" button;
After updating the system clock you can confirm the clock is now synchronised correctly by revisiting the TIME.IS web page and your computer clock should now be accurate to less than 1 second.
Related Articles
For hardware tokens (such as the SafeID range of TOTP tokens), the internal clock may only be corrected if the token is a programmable token, and can be corrected using the following procedure;
Checking and resolving time drift on a windows computer
As with pre-programmed hardware tokens, programmable tokens have an internal clock that is reliant on an internal quartz crystal to maintain time accuracy, but over time is still subject to a degree of time drift, but unlike pre-programmed hardware tokens it is possible to correct the internal clock on a programmable hardware token.
You can correct the system clock on the PC by using one of the corrective measures in the following procedure;
Introduction
On windows based PC's, laptops and tablets the time is normally obtained from a quartz crystal based clock that is maintained by a lithium ion battery on the motherboard of your computer.
In general you can expect time drift of 2 or more seconds per day (compared to about 1 second every 3 days from a typical hardware token), but can be greatly improved if the PC is automatically synchronised with an external source (either an internet time server or the clock on the local domain controller).
Correcting the time on a windows computer
There are many possible solutions to identifying and correcting the clock on your local computer, but one of the simplest is by using the service provided by time.is
After opening a browser window to the TIME.IS web page you will be presented with a clear indication of any drift between you computers clock and the remote time server;
As can be seen in the above example the test computer was less that 1 second out when compared with the remote time server.
If significant time drift is detected, you would be advised to configure your computer to automatically update the clock using and external time server.
You can correct the system clock on the PC using either the following methods;
Launch the control panel by (press
, type "cmd" then click )The command prompt window will now open;
Issue the command "Time", then at the prompt "Enter the new time:" supply the time currently show on the TIME.IS web page
Launch the control panel by (press
, type "control panel" then click )From the control panel click on the
icon To update the clock manually, select the "Date and Time" tab to display, then click on
;Alternatively, you can click on the
tab, then use the button to synchronise with an external time server using the button (example below);Launch the systems settings window (by pressing
), then select "Time & language");The heading will now change to "Time & language", click on the section "Date & time";
Ensure the "Set the time automatically" option is turned on;
Once this option has been enabled you will be able to synchronise the PC's clock with the external time server by clicking on the "Sync now" button;
After updating the system clock you can confirm the clock is now synchronised correctly by revisiting the TIME.IS web page and your computer clock should now be accurate to less than 1 second.
Related Articles
Synchronising the token's clock
Once you have corrected any time drift on your PC you will be ready to correct the time drift on your programmable token.
Launch the SafeID Diamond Programming tool, and ensure the option "Sync Token Clock" is selected;
- If you are running the Windows of the app, then the option will be labelled "Synchronise Token Clock";
- If you are running the Android or iOS versions of the app, then the option will be labelled "Synchronise Token Clock";
Once you have selected the synchronise token clock option you will need to manually enter the token details (seed/secret, time window settings etc.).
After supplying the token's seed details you will now be ready to reburn the token (this is necessary in order to correct the clock on the token).
Specific instructions for manual entry of the seed details and the steps necessary for burning the programmable tokens can be found in the following guide;
Related Articles
If you are not able to correct the clock on your device, then you need the server to account for your existing time drift, and this can often be achieve by performing a time synchronisation between the server and the token.
Time synchronisation for pre-programmed hardware tokens will occur either during the registration process of the token (for example when registering a token with azure), or using a separate process provided by the authentication server (where typically two consecutive OTP codes will be requested).
Recommendations
Given time drift occurs on hardware tokens regardless of use, we suggest registering you token with you authentication server within the first year of purchase. The majority of the hardware tokens we supply are programmed with 60 second time windows, and most authentication servers can deal with a few time windows of drift prior to registration. When registering older tokens with azure we suggest manual registration rather than bulk registration.
If your OTP codes are produced by an app running on windows, then ensure the clock on your computer is automatically synchronised with an external and reliable time server.