auth_totp_start
The `auth_totp_start` directive sets the starting time for the Time-based One-Time Password (TOTP) algorithm in NGINX.
Description
The auth_totp_start directive specifies the initial time, in seconds since the Unix epoch, for the TOTP algorithm to begin generating one-time passwords. This time setting is crucial for the TOTP mechanism, as it dictates the reference point from which subsequent time-based tokens are generated. When a user attempts to authenticate, the TOTP algorithm computes the response based on this start time, which affects the validity of the one-time password generated based on the current time and the configured time step.
In practical use, if the auth_totp_start is not aligned with the server's clock or the client's clock, it could lead to authentication failures. This directive, alongside others like auth_totp_step, allows for fine-tuned configuration of the TOTP system by controlling when the password generation begins. It's essential to match this configuration with the application logic expecting the one-time passwords, as discrepancies can cause valid tokens to be incorrectly perceived as expired or unwieldy. Additionally, if the starting time is set too far in the past, it may lead to overlapping tokens being generated under certain conditions, which could compromise the password's uniqueness for each request.
Config Example
server {
listen 80;
location /protected {
auth_totp_realm "Protected";
auth_totp_file /etc/nginx/totp.conf;
auth_totp_length 8;
auth_totp_start 1633046400; # Example Unix timestamp
auth_totp_reuse off;
auth_totp_skew 1;
auth_totp_step 1m;
auth_totp_cookie "totp-session";
auth_totp_expiry 1d;
}
}Setting auth_totp_start incorrectly can lead to token mismatches and authentication failures.
The specified start time should be in sync with the server's time settings to avoid generating expired tokens.
If not explicitly set, the directive defaults to 'none', which may lead to unpredictable or default behavior in the TOTP flow.