Add NTP abilities

Issue #5 open
Devin Martin
repo owner created an issue

Add the ability to ping NIST if desired for an accurate time.

Comments (5)

  1. Larry_Ellis

    NTP is really required for TOTP, but that doesn't mean it belongs in apps! The server itself should be NTP synced. Time variances should be small enough to be handled by your sliding window.

    My recommendation is to install the free Meinberg Windows NTP build (physical machines) or the inexpensive Domain Time II client (better for VMs, which are hard to keep accurate).

  2. Devin Martin reporter

    @Larry_Ellis the rationale here was that sometimes the platform (app or server) can't be controlled. Typically a server environment is where this functionality would be needed the least since they can do exactly what you suggested. The Google Authenticator app does have a time sync function and I have had to use it even with my phone's time being synced to the carrier. But I do see your point. Perhaps this is an area where an extension would be more appropriate rather than bloating the base library. That way the consumer could choose if it were needed or not. I am liking that idea the more I think about it, what are your thoughts? Thanks for the feedback Larry.

  3. Larry_Ellis

    I'm not aware Google Authenticator has a time-sync function. Maybe that's an Android-only feature. Anyway, gmail 2FA appears to tolerate time differences that are +/- 5 minutes of standard. This is what we do in our TOTP code, even though our server is NTP-synced; so we allow for moderate client time differences. I don't like clients that NTP-sync, since they proliferate NTP requests against scarce resources (the NTP servers). Imagine 50 apps on a single server, all independently doing their own NTP processing! But your suggestion to make it an extension might be a good compromise.

  4. Log in to comment