9.18 OATH OTP

OATH (Initiative for Open Authentication) is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication using OTP.

Advanced Authentication supports the following two different types of OATH OTP:

You can configure the following settings for the OATH methods:

9.18.1 HOTP

HOTP is a counter based one time password. To configure the HOTP authenticator, you can specify the following parameters:

  • OTP format: The number of digits in the OTP token. The default value is 6 digits. The value must be the same as of the tokens you are using.

  • OTP window: The size of OTP window defines number of valid OTP for authentication. When the counters are out of sync, this parameter determines the difference between the counter on the token and the server. Based on the difference, the server can recalculate the next OTP value to validate with the OTP received from the token. The server stores the last counter value (C) for which the user has provided a valid password. While verifying a new OTP from the token, the server validates C+1, C+2... until one of the OTP is identical, or till C+w, where w represents the OTP window.

    You can use the HOTP token such as Yubikey token to access not only Advanced Authentication, but also some websites or third-party services. After each use or when users press the token button accidentally, the HOTP counter on the token is increased by 1. Therefore, the counter will be out of sync between the token and Advanced Authentication server.

    For example, if the OTP window is set to 10 (by default), and the current counter value of the server is 100, then any OTP generated from the token with a counter value from 100 to 110 are valid for authentication.

    WARNING:Do not increase the HOTP window value to more than 100 as it may decrease the security by causing false matches.

During enrollment or HOTP counter synchronization in the Self-Service portal, Enrollment HOTP window that has a value of 100,000 is used. This is helps in the following:

  • HOTP tokens may be used for a long period before the enrollment in Advanced Authentication and the value is unknown and can be equal to some thousands.

  • Secure because users must provide 3 consequent HOTPs.

Configuring Yubikey for Advanced Authentication Server

  1. Download and install the Yubikey Personalization Tool from Yubico.

    To download the Yubikey Personalization Tool, see the Yubico website.

  2. Insert the Yubikey token.

    Ensure that the token is recognized. The recognition is indicated by a message Yubikey is inserted at the top-right corner of the Personalization tool.

  3. Select OATH-HOTP mode.

  4. Select Configuration Slot 1, generate the OATH Token Identifier and Secret Key.

  5. In Logging Settings, select Log configuration output.

  6. Select Traditional format or Yubico format.

  7. Click Write Configuration and save the CSV file.

For information about how to enroll the HOTP method, see HOTP in the Advanced Authentication- User guide.

9.18.2 TOTP

TOTP is a time based one time password. To configure the TOTP authenticator, you can specify the following parameters:

  • OTP period (sec): The value to specify how often a new OTP is generated. The default value is 30 seconds. The maximum value for the OTP period is 360 seconds.

  • OTP format: The number of digits in the OTP token. The default value is 6 digits. The value must be the same as the tokens you are using.

  • OTP window: The value to specify the periods used by Advanced Authentication server for TOTP generation. For example, if you have a period of 30 and a window of 4, then the token is valid for 2*30 seconds before current time and 2*30 seconds after current time, which is ±2 minutes. These configurations are used because time can be out-of-sync between the token and the server and may impact the authentication. The maximum value for the OTP window is 64 periods.

    IMPORTANT:It is not recommended to use an OTP window equal to 32 and higher for 4-digit OTP because it reduces security.

  • Google Authenticator format of QR code (Key URI): Option to display the QR code for the TOTP enrollment of the software token in a format that is compatible with the Google Authenticator, Microsoft Authenticator, or the NetIQ Auth apps. When you disable the option, the displayed QR code can be scanned only with the NetIQ Auth smartphone app. Enable the option to allow enrollment with the Google Authenticator or Microsoft Authenticator apps. The QR code of Google Authenticator format can also be scanned with the NetIQ Auth app (supported by the last iOS and Android apps).

    IMPORTANT:OTP format must be set to 6 digits when you use the Google Authenticator format of QR code.

  • Allow manual enrollment: When you enable the option, the Specify the TOTP secret manually section is displayed on the TOTP enrollment page of the Self-Service portal with the following parameters: Secret, Period, and Google Authenticator format of secret (Base32). By default, the option is disabled and the settings are hidden. Enabling the option may result in security risks.

  • Disable self enrollment: This option allows to disable the manual enrollment of TOTP method in the Self-Service portal. The option is enabled by default. When enabled, the TOTP method is unavailable in the old Self-Service portal and not displayed in the new Self-Service portal.

  • Hide TOTP on a rooted smartphones: Enable this option to hide the OTP in rooted smartphone. By default, the option is disabled.

You must perform the following tasks to allow the users to enroll TOTP method using the Desktop OTP tool:

9.18.3 Importing PSKC or CSV Files

You can import the PSKC or CSV files. These token files contain token information. To import these files, perform the following steps:

  1. Click the OATH Token tab.

  2. Click Add.

  3. Click Browse and select a PSKC or CSV file.

  4. Choose a File type. The options are:

    • OATH compliant PSKC: This file type must be compliant with OAuth. For example, HID OATH TOTP compliant tokens.

    • OATH csv: This file type must contain the format as described in CSV File Format To Import OATH Compliant Tokens. You cannot use the YubiKey CSV files.

    • Yubico csv: In this file type, you must use one of the supported Log configuration output (see YubiKey Personalization Tool > Settings tab > Logging Settings) formats with comma as a delimiter.

      • Traditional format: In this file type, OATH Token Identifier must be enabled.

      • Yubico format: This file type is supported only for HOTP Length set to 6 Digits and OATH Token Identifier set to All numeric.

      IMPORTANT:Moving Factor Seed must not exceed 100000.

  5. Add the encrypted PSKC files. For this, select Password or Pre-shared key in PSKC file encryption type and provide the information.You can select Not encrypted, if the PSKC file is not encrypted with either the password or key.

  6. Click Upload to import tokens from the file.

NOTE:Advanced Authentication receives an OTP format from the imported tokens file and stores the information in the enrolled authenticator. Therefore, you need not change the default value of OTP format on the Edit Method tab.

When the tokens are imported, you can see the list and you must assign the tokens to users. This can be done in the following two ways:

  • Click Edit next to the token and select Owner and click Save.

  • A user can self-enroll a token in the Self-Service portal. Administrator must let the user know an appropriate value from the Serial column for the self-enrollment.

NOTE:Tenancy settings are not supported for the OATH tokens. Therefore, the configurations in the OATH Tokens tab cannot be enforced on tenant administrators.

9.18.4 CSV File Format To Import OATH Compliant Tokens

A CSV file, which is imported as OATH csv file in the Administration portal > > Methods > OATH OTP > OATH Tokens tab, must contain fields with the following parameters:

  • Token’s serial number

  • Token’s seed

  • (Optional) Type of the token: TOTP or HOTP (by default HOTP)

  • (Optional) OTP length (default value is 6 digits)

  • (Optional) Time step (default value is 30 seconds)

Comma is a delimiter.

The following is an example of a CSV file:

Token001, 15d2fa517d3c6b791bd4cc2044c241429307001f
Token002, 8c557fc050721037fd31e1d3345b5d3263263e0f, totp, 8
Token003, 658208efea5ac49d5331ba781e66f2c808cccc8e, hotp, 6
Token004, 89f0dfe1c90379da6a11aaca2fc1070f606efe36, totp, 6, 60

IMPORTANT:For the YubiKey tokens, you must use the traditional format of the CSV (check YubiKey Personalization Tool > Settings tab > Logging Settings) with comma as a delimiter. Use Yubico csv file type (Advanced Authentication Administration portal > Methods > OATH OTP > OATH Tokens).