Home
Contents
CLOSE
AuthLite Interactive Documentation
FEATURES: What can AuthLite Do? TOKEN TYPES: What "Factors" are supported? INSTALL: How and where to install AuthLite? CONFIGURE AuthLite for your needs CHOOSE USERS: Choose 2-factor Users ENFORCE 2-factor Logons ADMINISTER AuthLite Tokens LDAP logon support/enforcement VPN and RADIUS Configuration How to Log In Event Logging
CLOSE

For Outlook Anywhere 2010, several connections will be opened and closed throughout the user's session, and Outlook will keep using whatever credentials the user most recently entered. After the OTP replay window expires, Outlook's new connections will fail, and the user will see a pop-up dialog requesting new credentials.

So the length of your OTP replay window will effectively determine how long a user can use OA before needing to enter a new OTP and their password into the authentication pop-up. Set the window long enough so as not to be overly annoying, but short enough to mitigate the threat of an attacker recording and re-using the credentials later. For example 30 minutes (set as 1800 seconds) is a reasonable session length, but 8 hours would probably be irresponsibly long.

Outlook 2013 and newer seems to do a better job keeping existing connections alive. Best practice is to only force 2-factor authentication on the front end RPC/HTTP server, and configure Replay Behavior to allow 1-factor retry of stale 2-factor credentials, so the back end servers can re-use the entered credentials.