Hello,
Our organization chose ESET for Two Factor Authentication and it is using it and testing it for a while. We already have internet security product on all of our customers and we are happy with it.
One of our main goals was having Two Factor Authentication outside of the office where you you login in offline mode and we chose to use HOTP (event-based OTP).
As said in web console: "Note: Time-based (TOTP) mobile application or hard token OTPs do not work in offline mode. Please use event-based (HOTP) option to use the offline mode."
We were thinking that people will have 100 successful logins outside of the office and then they will have to go to the office and login there one time to restock OTP.
So we put Number of offline OTPs to be 100 and everything was good for a while.
After a bit of using the app started to have problems with OTP for some of our users. It was random and they were unable to login in their homes and even when they come to the office. The message was "The OTP you entered could not be authenticated. Please try again." This is very inconvenient and problematic for our customers.
We started troubleshooting and find out that the app had to be re-provisioned again with SMS.
We contacted our local support and they made several tickets to main support because they were unable to help. The last ticket i think it has number CASE_00163501.
We did many testing's and collected many logs requested by ESET and our problem was not solved.
The response was that the app becomes out of sync until next re-enrolment and to use TOTP ("Time-based One-time Password").
TOTP doesn't have that problem from what i could test but we need HOTP problem fixed not switch.
I even made a video and logs how i make the app not functional with generating around 30 OTP and then the app can't be used anymore. This is happening even when the phone and the used OTP is on a machine that is in the network where the server is based. This is forced method of bricking the app but at least i am doing something to test it.
It is unacceptable by a manufacturer to not wanting to investigate the problem and making the customer do their job. This is happening for around 4 months and they closed the tickets from our local support around 2 times.
If you can't or won't do anything about synching the app again to the server or not letting the problem happen just say so and don't make us use other authentication method. That way we will find another product that support logging offline with less problems.
We have two separate domains with two servers and the problem is in both of them.
We are not small company and not a big one but we have 500+ customers and already have 100+ users provisioned with HOTP method so please tell us with straight words if this is fixable.
