What is Time Drift ?

OTP codes created using a time-based solution (e.g. using a SafeID/Classic token) will obtain the current time using an internal clock that updates its time based upon oscillations of a quartz crystal.  The crystal allows the device to keep relatively accurate time, but you can still expect the clock to drift by approximately one second every three days.  Over the space of a year this drift can vary, but you expected time drift would be in the order of a couple of minutes.

...

If the difference reported by the clocks on the client and on the server differ by more than the size of the time window (normally 30 or 60 seconds), then the OTP code generated by the client will not match the OTP code generated by the authentication server, and authentication may fail.

How do we check for time drift on hardware tokens ?

When the OTP code generated by a hardware token is failing to be accepted by the authentication server, it is possible to check the extent of any existing time drift using the following procedure;

• 
  

  Expand
  title How to test SafeID tokens for time drift
  Panel borderColor grey bgColor #F8F8F8 borderStyle dashed Include Page Determining the extent of time drift on Pre-Programmed TOTP Tokens Determining the extent of time drift on Pre-Programmed TOTP Tokens How to test SafeID tokens for time drift How to test SafeID tokens for time drift

  
  

What do we do if there is time drift ?

There are two main solutions to resolve issues caused by time drift;

...

• 
  

  Expand
  title Checking and resolving time drift on a windows computer
  Panel borderColor grey bgColor #F8F8F8 borderStyle dashed Include Page Checking and resolving time drift on a windows computer Checking and resolving time drift on a windows computer

  
  

For hardware tokens (such as the SafeID range of TOTP tokens), the internal clock may only be corrected if the token is a programmable token, and can be corrected using the following procedure;

...

Time synchronisation for pre-programmed hardware tokens will occur either during the registration process of the token (for example when registering a token with azure), or using a separate process provided by the authentication server (where typically two consecutive OTP codes will be requested).

Recommendations

Given time drift occurs on hardware tokens regardless of use, we suggest registering you token with you authentication server within the first year of purchase.  The majority of the hardware tokens we supply are programmed with 60 second time windows, and most authentication servers can deal with a few time windows of drift prior to registration.  When registering older tokens with azure we suggest manual registration rather than bulk registration.

If your OTP codes are produced by an app running on windows, then ensure the clock on your computer is automatically synchronised with an external and reliable time server.

Related Articles

• How to test SafeID tokens for time driftHow to Upload SafeID Hardware Token to Azure AD
• How to bulk Bulk activate SafeID hardware tokens in Azure ADEntra ID
• How to Sync SafeID Tokens
• Online Time and Date Server
• Internet Time (GMT)
• How OTP codes are generated
• How OTP codes are used