Blog

Blog

Guides

Tools

blog

Understanding Entra’s New Time Drift Allowance

03-03-2025

Microsoft Entra has recently updated its time drift allowances for TOTP, reducing the window to approximately 2 minutes. This change may impact users of hardware tokens that have not been used for an extended period.


In this post, we will explore how Entra manages TOTP drift correction and what steps are required for Token2 hardware tokens to remain functional.

According to Microsoft’s documentation on OATH TOTP authentication, Entra monitors and automatically adjusts the drift for each enrolled hardware token. This means that as long as a token is used periodically, the server keeps track of slight deviations in the token’s clock and compensates for them.
However, if a hardware token remains unused for an extended period—several months or more—it may fall outside the allowed drift window, causing authentication failures.

Impact on Token2 Hardware Tokens

If you are using Token2 hardware tokens with Entra, the new drift policy may require additional steps to ensure seamless authentication, especially if your tokens have not been used for an extended period:

  • For tokens with restricted time sync: If a token exceeds the drift limit, you will need to reprovision it. This can be done by either:
    • Burning the original seed again.
    • Using a randomly generated secret value with one of Token2’s NFC-based burning applications or scripts.
  • For tokens with unrestricted time sync: The process is simpler. You can manually adjust its internal clock using Token2’s NFC tools, which will realign the token’s time to avoid authentication failures.
Consider Phishing-Resistant Alternatives
While TOTP is widely used for multi-factor authentication, it is not resistant to phishing attacks. Attackers can trick users into entering their TOTP codes on fraudulent websites, allowing them to hijack accounts. To enhance security, FIDO-based authentication should be preferred whenever possible, as it provides a more robust, phishing-resistant solution.



Key Takeaways
  • Entra has reduced its TOTP time drift allowance to around 120 seconds.
  • The server automatically adjusts the drift for each enrolled token as long as it is used periodically.
  • Long periods of inactivity can cause hardware tokens to fall out of sync, requiring reprovisioning or clock adjustments.
  • Token2 provides tools to burn new seeds (restricted time sync) or adjust the system clock (unrestricted time sync) to restore functionality.
  • FIDO-based authentication is a better alternative to TOTP, offering phishing resistance and stronger security.
For more details, you can refer to Microsoft’s official documentation on TOTP time drift correction. If you have questions about Token2 devices or need assistance with reprovisioning, feel free to reach out to our support team.

updates