The OpenAuth system uses a time-based algorithm for generating verification codes (TOTP, RFC 6238). In order for this to work, your computer's time must be in sync with our servers' time. Our servers are synchronized with official time sources.
If you're consistently getting re-prompted for your
Verification code or getting 'access denied' when you're sure your password is correct, it might be because your clock is off. You can check official time for US timezones here.
Your timezone setting is especially important to consider.
If you are in a different timezone, you must adjust your computer's clock by adjusting the timezone, not just the time, so that your computer still accurately reflects the correct absolute time. For example, if you leave Cambridge and go to Los Angeles, you must change your clock by changing the timezone from Eastern time to Pacific time (a difference of three hours). If you just set your clock back three hours, and leave it in the Eastern timezone, openauth will treat you the same as a person in Cambridge with a clock that's off by three hours, and you will not be able to authenticate.
Most operating systems can be set to automatically maintain your correct timezone. Here's an example of what that looks like on a Mac (on Windows, this is under Control Panel -> Date & Time -> Internet Time - see Windows time/time zone instructions):
OpenAuth allows for clocks to be off by about a minute or two. Any more than that, and the system rejects you, same as if you typed an incorrect
Verification code. However, if your clock is off by more than a couple minutes but not more than 12 hours, it is possible to resync your secret token and have the system automatically adjust for the skew. This feature should only by used if you are not able to synchronize your computer's clock properly. In order to perform the resync, you must ssh to
login.rc.fas.harvard.edu and enter three different, sequential Verification codes, one at each
Verification code prompt. For example, a command-line ssh session on a Mac or linux host will look something like this:
USERNAME@MYCOMPUTER:~$ ssh USERNAME@login.rc.fas.harvard.edu
Note that if you later correct your clock, or switch to using a different computer or smartphone with a correct clock, you'll have to go through the same resync procedure in order to "unskew" your secret token. See the section on revoking your token here.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Permissions beyond the scope of this license may be available at Attribution.