Password Safe On-Prem: TOTP 2FA

Question

Hi All,As per the KB articles from customer portal, It seems like time in appliance and has to match the time on clients (user mobile devices) for TOTP 2FA to work. How this will work when the users are in different time zones not matching with appliance time zone?

frank.colvin · Answer

TOTP (Time-based One-Time Password) relies on synchronized time between the client (user device) and the server (in this case, the BeyondTrust appliance). Here's how this works across different time zones:How TOTP Works Across Time ZonesTOTP doesn't rely on time zones, but rather on UTC time (Coordinated Universal Time). Here's the breakdown:TOTP uses Unix time (epoch time) — the number of seconds since January 1, 1970 UTC.Both the appliance and the client device generate codes based on the current UTC time and a shared secret.As long as both systems are accurately synced to UTC, the time zone difference doesn't matter.What Needs to Be True for TOTP to WorkBeyondTrust appliance must have accurate system time (preferably synced via NTP to a reliable time source).User mobile devices must also have accurate time — typically handled automatically by the OS syncing with internet time servers.Time zone settings on either side do not affect TOTP, as long as the underlying UTC time is correct.Troubleshooting TipsIf users report TOTP failures:Check if their device time is manually set or out of sync.Ensure the appliance is using NTP and has no drift.Consider allowing a small time window tolerance (e.g., ±30 seconds) in the TOTP configuration.

How TOTP Works Across Time Zones

What Needs to Be True for TOTP to Work

Troubleshooting Tips

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded