TFA | Tweaks: Change Mail/Google Authenticator time limit
1. Change TFA Mail Authenticator Time Limit:
The TFA email authenticator time limit is 2 minutes by default. Some organisations have reported slow mail sending/receiving and want to modify this.
To modify this parameter, connect to the application database and run this query (for the first time) to set the timeout as 5 minutes (300000 milliseconds).
INSERT INTO ADSTFAModeParams SELECT ADSTFAProviderModes.MODE_ID, 'MAIL_AUTH_TIMELIMIT', null, '300000' FROM ADSTFAProviderModes WHERE ADSTFAProviderModes.MODE_NAME = 'TFA_MAIL_AUTHENTICATOR';
To modify it further, use the below update query.
update ADSTFAModeParams set param_value='<time_in_ms>' where param_name='MAIL_AUTH_TIMELIMIT';
Restart the application for the changes to take place.
2. Change TFA Google Authenticator Time Limit:
Google authenticator has a time slot of 30s and during verification, the previous and the next 5 codes are checked by default (variance). This approximates to +2.5 minutes and ensures that the minute level time delays between the server machine and the client machine. For companies requiring strict RFC standards for HTOP, this variance can be reduced to 1 or 2. Please run the below query to set the variance accounting the clock skew.
INSERT INTO ADSTFAModeParams SELECT ADSTFAProviderModes.MODE_ID, 'TOTP_TIME_VARIANCE', null, '1' FROM ADSTFAProviderModes WHERE ADSTFAProviderModes.MODE_NAME = 'TFA_GOOGLE_AUTHENTICATOR';
To modify it further, use the below update query.
update ADSTFAModeParams set param_value='n' where param_name='TOTP_TIME_VARIANCE';
Restart the application for the changes to take place.