TFA | Tweaks: Change Mail/Google Authenticator time limit
1. Change TFA Mail Authenticator Time Limit:
The TFA email authenticator time limit is 2 minutes by default. Some organisations have reported slow mail sending/receiving and want to modify this.
To modify this parameter, connect to the application database and run this query (for the first time) to set the timeout as 5 minutes (300000 milliseconds).
INSERT INTO ADSTFAModeParams SELECT ADSTFAProviderModes.MODE_ID, 'MAIL_AUTH_TIMELIMIT', null, '300000' FROM ADSTFAProviderModes WHERE ADSTFAProviderModes.MODE_NAME = 'TFA_MAIL_AUTHENTICATOR';
To modify it further, use the below update query.
update ADSTFAModeParams set param_value='<time_in_ms>' where param_name='MAIL_AUTH_TIMELIMIT';
Restart the application for the changes to take place.
2. Change TFA Google Authenticator Time Limit:
Google authenticator has a time slot of 30s and during verification, the previous and the next 5 codes are checked by default (variance). This approximates to +2.5 minutes and ensures that the minute level time delays between the server machine and the client machine. For companies requiring strict RFC standards for HTOP, this variance can be reduced to 1 or 2. Please run the below query to set the variance accounting the clock skew.
INSERT INTO ADSTFAModeParams SELECT ADSTFAProviderModes.MODE_ID, 'TOTP_TIME_VARIANCE', null, '1' FROM ADSTFAProviderModes WHERE ADSTFAProviderModes.MODE_NAME = 'TFA_GOOGLE_AUTHENTICATOR';
To modify it further, use the below update query.
update ADSTFAModeParams set param_value='n' where param_name='TOTP_TIME_VARIANCE';
Restart the application for the changes to take place.
New to ADSelfService Plus?
Related Articles
TFA | Troubleshoot "Trust this browser"
Troubleshooting: If TFA details need to be entered every time (after closing and opening browser / after reaching home or office / when IP changes) even if Trust this browser in enabled, 1. Check if "ADSTFA_xxxx" cookie is present on browser close ...TFA : Failing Email Delivery of TFA Verification Code During Login
Issue: In a non-ESM setup with Graph configuration in the outgoing mail server settings, the sending of TFA verification codes via email fails when attempting to log in. Issue ID: SD-120339 Screenshot of Error: Trace of Error in Logs: ...Translations | Content in TFA page is not reflected in SDP
Issue: The changes made in Admin > Translation is not reflected in TFA pages, like changing from Google Authenticator to Microsoft Authenticator. Workaround: Unzip the i18n_fix_<fw_ver>.zip file Place the i18n_fix_<fw_ver>.fjar file in <sdp>/fixes ...Auto Populate Scheduled Start Time and End Time in Change Request
We can now auto-populate the Scheduled Start Time and End Time in a change request using FAFR. Under Admin>Change Template>Field and Form Rules, you can use the below scrips Scheduled Start Time var x=$CS.getValue("SCHEDULEDSTARTTIME"); if ( x === ...Change approval
SELECT chdt.CHANGEID AS "Change ID", chdt.TITLE AS "Title", orgaaa.FIRST_NAME AS "Change Requester", qd.QUEUENAME AS "Group", ownaaa.FIRST_NAME AS "Change Owner", catadef.CATEGORYNAME AS "Category", priodef1.PRIORITYNAME AS "Priority", ...