IBM Security Z Security

During the first Generic OTP user enrollement using App Verify I receive this error:

AZF5040I Entered preflight (ic=1XID114EYCPCE9EJMAEWJJGDT5LECHUA, tc=877299)
AZF5042E Preflight failed to match the provided token code
AZF5043I If using a short PERIOD value, try increasing WINDOW to reduce clock skew effects

The user has the following tags:
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
PASSWORD FALLBACK IS NOT ALLOWED
FACTOR = AZFTOTP1
STATUS = INACTIVE
FACTOR TAGS =
REGSTATE:OPEN
PERIOD:60


Any idea ?

------------------------------
Luigi Perrone
------------------------------

There are two possibilities:

1. The issues described in this article:

https://labanskoller.se/blog/2019/07/11/many-common-mobile-authenticator-apps-accept-qr-codes-for-modes-they-dont-support/

2. The clock on the demo system and/or the client device is significantly off.

------------------------------
ANTON NIEMAND
------------------------------

Original Message:
Sent: Mon December 20, 2021 11:10 AM
From: Luigi Perrone
Subject: zMFA Totp error .....incomprhensible

During the first Generic OTP user enrollement using App Verify I receive this error:

AZF5040I Entered preflight (ic=1XID114EYCPCE9EJMAEWJJGDT5LECHUA, tc=877299)
AZF5042E Preflight failed to match the provided token code
AZF5043I If using a short PERIOD value, try increasing WINDOW to reduce clock skew effects

The user has the following tags:
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
PASSWORD FALLBACK IS NOT ALLOWED
FACTOR = AZFTOTP1
STATUS = INACTIVE
FACTOR TAGS =
REGSTATE:OPEN
PERIOD:60


Any idea ?

------------------------------
Luigi Perrone
------------------------------

Tks Anton.
The first point is excluded, because I've tried with different client Apps (Google, Verify, DUO) using different ALG settings
In the second point, there is a difference of 1 minute between the two values

------------------------------
Luigi Perrone
------------------------------

Original Message:
Sent: Tue December 21, 2021 09:34 AM
From: ANTON NIEMAND
Subject: zMFA Totp error .....incomprhensible

There are two possibilities:

1. The issues described in this article:

https://labanskoller.se/blog/2019/07/11/many-common-mobile-authenticator-apps-accept-qr-codes-for-modes-they-dont-support/

2. The clock on the demo system and/or the client device is significantly off.

------------------------------
ANTON NIEMAND

Original Message:
Sent: Mon December 20, 2021 11:10 AM
From: Luigi Perrone
Subject: zMFA Totp error .....incomprhensible

During the first Generic OTP user enrollement using App Verify I receive this error:

AZF5040I Entered preflight (ic=1XID114EYCPCE9EJMAEWJJGDT5LECHUA, tc=877299)
AZF5042E Preflight failed to match the provided token code
AZF5043I If using a short PERIOD value, try increasing WINDOW to reduce clock skew effects

The user has the following tags:
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
PASSWORD FALLBACK IS NOT ALLOWED
FACTOR = AZFTOTP1
STATUS = INACTIVE
FACTOR TAGS =
REGSTATE:OPEN
PERIOD:60


Any idea ?

------------------------------
Luigi Perrone
------------------------------