Home
Contents
CLOSE
AuthLite Interactive Documentation
FEATURES: What can AuthLite Do? TOKEN TYPES: What "Factors" are supported? INSTALL: How and where to install AuthLite? CONFIGURE AuthLite for your needs CHOOSE USERS: Choose 2-factor Users ENFORCE 2-factor Logons ADMINISTER AuthLite Tokens LDAP logon support/enforcement VPN and RADIUS Configuration How to Log In Event Logging
CLOSE

The window mechanism only allows a limited replay on a user's most recently entered OTP. So no matter what the size of your replay window you need not be concerned about previously-entered OTPs being used again maliciously. Only the freshest, most recently entered OTP is allowed to authenticate repeatedly during the window, and as soon as the user enters a new OTP any time remaining on the old window is canceled.

A short replay window such as 10-20 seconds does not notably diminish the security of an OTP system against most types of attacks. However if an adversary can launch immediate parallel sessions from your machine or in some automated, instantaneous fashion, then any replay window at all can allow impersonation. If you are not using any multiple-authentication protocols with AuthLite you can run without any replay windows configured, disabling this behavior completely.

A longer replay window such as is needed for Outlook Anywhere on Exchange 2010, or HTTP Basic authentication, decreases some of the benefits of a one-time passcode system. An attacker who is able to capture the user's OTP and password would have the ability to use these credentials during the replay window, and impersonate the user. A long window gives an adversary more leisure to perform an impersonation attack, and requires less sophistication. The dual credentials are still far more secure than a plain one-factor password, and the vulnerability is still time limited, but this is not as secure as using a small (or no) replay window.