Authentication timeout settings
Authentication timeouts associated with TOTP authentication are critical to both security and end user experience. TOTP authentication extends session-based authentication. For more information on session-based authentication timeouts, see Session-based name-and-password authentication for Web clients.
Single server session expiration
Under the Domino Web Engine tab in the Internet Site document, there is an Idle session timeout field associated with Single Server Session authentication. This field is specified in minutes, and indicates how long a session is valid. When the session authentication cookie expires, a connecting client is presented with the TOTP login form. Completing the login requires user input before the client can resume activity with the Traveler service. The Idles session timeout should be set as long as possible for a more seamless experience with the client.
Multi-server Session Authentication expiration (SSO)
TOTP authentication support for HCL Verse mobile clients when working with a Traveler High Availability pool requires that the Traveler endpoint is enabled for Multiple Server Session Authentication using the Web SSO configuration document. When the TOTP authentication is completed, a secure token is set as a cookie on the response to the client that is valid on any participating Traveler Server.
The Web SSO Configuration document has a setting for the expiration of this security token. When the token expires, a connecting client is presented with the TOTP login form. Completing the login requires user input before the client can resume activity with the Traveler service.
The token expiration should be set for as long as possible for a more seamless experience with the mobile client.