auth_totp_step
The `auth_totp_step` directive configures the time interval for the validity of Time-based One-Time Passwords (TOTP) in NGINX authentication.
Description
The auth_totp_step directive sets the time step in seconds that defines how long a generated TOTP will be valid. This determination of validity is crucial for effective security mechanisms, as it dictates the window in which the one-time passwords can be used for authentication. By specifying this interval, administrators can enhance security by minimizing the time during which any one-time password is accepted; this can help thwart replay attacks and requires users to generate fresh tokens at regular intervals.
The parameter specified must be a positive integer representing the duration in seconds. For example, if you set auth_totp_step 30;, the generated TOTP will be valid for 30 seconds from the time of its generation. This duration must also align with the expected configuration of TOTP generators on the client side which typically operate on a similar timeframe. Therefore, a consistent configuration across the server and the client is necessary for proper functionality.
Config Example
location /protected {
auth_totp_realm "Protected";
auth_totp_file /etc/nginx/totp.conf;
auth_totp_step 1m;
# other configurations...
}Ensure that the time step aligns with the TOTP client configurations to avoid authentication failures.
Using too short a time step can lead to re-authentication prompts for users if they're unable to generate new TOTP in time.
If auth_totp_reuse is enabled, consider how the time step affects the reuse of TOTP tokens.