auth_totp_skew
Configures the allowed time skew for TOTP authentication verification in NGINX.
Description
The auth_totp_skew directive is used to set a permissible time skew in seconds when validating Time-based One-Time Passwords (TOTP). TOTP relies on synchronized time between the server and the client; however, discrepancies can occur due to clock drift or network latency. By allowing a skew, administrators can enhance the user experience by accepting TOTP values that are valid within a specified time window before the actual current time.
This directive accepts a single numerical argument that defines the skew in seconds. For example, a skew of '1' means the TOTP values generated within one second before or after the current time will be accepted as valid. The purpose of this configuration is to minimize the chances of authentication failures caused by slight variations in the server and client clocks, thereby improving the robustness of TOTP authentication in real-world scenarios.
When configuring this directive, take into consideration that allowing a higher skew might better accommodate users in different time zones or environments with poor time synchronization. However, this can also inadvertently allow a wider window for unauthorized access if an attacker can predict or intercept valid TOTP codes.
Config Example
location /protected {
auth_totp_realm "Protected";
auth_totp_file /etc/nginx/totp.conf;
auth_totp_length 8;
auth_totp_reuse off;
auth_totp_skew 1;
auth_totp_step 1m;
auth_totp_cookie "totp-session";
auth_totp_expiry 1d;
}A skew of zero may lead to frequent authentication failures if the client's clock is not synchronized with the server's clock.
Setting a very high skew (e.g. several minutes) may expose the system to replay attacks if TOTP values are intercepted.