Dynamic time window

By default, the production time window for password and signature verification is a static time window. The purpose of this window is to balance the relative time drift between the Digipass clock and the server clock.

With the Dynamic Identification Time Window feature, the time window runtime parameter ITimeWindow (or STimeWindow) can be set relatively smaller than with the static version because the size of the production time window varies depending on the time span between two authentications (or two signatures) of one authenticator application.

If the user authenticates every day, the production time window (= number of acceptable OTPs) will remain small because the actual time drift is updated on a daily basis. If, however, a longer period elapses before the next validation, e.g. six months, the production time window will be extended to allow for the potential time drift.

This functionality is enabled by adding the flag TW_DYNAMIC_WINDOWS to the runtime parameters ITimeWindow and/or STimeWindow, for example

ITimeWindow = 10 | TW_DYNAMIC_WINDOWS.

STimeWindow = 10 | TW_DYNAMIC_WINDOWS.

The following parameters affect the size of the dynamic time window:

• Time step
• Number of days since last successful OTP validation
• ITimeWindow/STimeWindow kernel parameters
• SyncWindow kernel parameter

Figure:  Dynamic time window

With Dynamic Time Window enabled, the used TimeWindow after DWAT will grow by eight seconds per day (allowing possible drift between Digipass and the server up to +/- four seconds per day).

The time window will be extended after the DWAT, but not indefinitely.

The time window will be capped by the SyncWindow kernel parameter.

For an example of the dynamic time window, refer to Appendix: Dynamic time window calculation examples.