OATH (Initiative for Open Authentication) is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication using OTP.
Advanced Authentication supports the following two different types of OATH OTP:
You can configure the following settings for the OATH methods:
HOTP is a counter based one time password. To configure the HOTP authenticator, you can specify the following parameters:
: The number of digits in the OTP token. The default value is 6 digits. The value must be the same as of the tokens you are using.
: The size of OTP window defines number of valid OTP for authentication. When the counters are out of sync, this parameter determines the difference between the counter on the token and the server. Based on the difference, the server can recalculate the next OTP value to validate with the OTP received from the token. The server stores the last counter value (C) for which the user has provided a valid password. While verifying a new OTP from the token, the server validates C+1, C+2... until one of the OTP is identical, or till C+w, where w represents the OTP window.
You can use the HOTP token such as Yubikey token to access not only Advanced Authentication, but also some websites or third-party services. After each use or when users press the token button accidentally, the HOTP counter on the token is increased by 1. Therefore, the counter will be out of sync between the token and Advanced Authentication server.
For example, if the OTP window is set to 10 (by default), and the current counter value of the server is 100, then any OTP generated from the token with a counter value from 100 to 110 are valid for authentication.
WARNING:Do not increase the HOTP window value to more than 100 as it may decrease the security by causing false matches.
During enrollment or HOTP counter synchronization in the Self-Service portal,that has a value of 100,000 is used. This is helps in the following:
HOTP tokens may be used for a long period before the enrollment in Advanced Authentication and the value is unknown and can be equal to some thousands.
Secure because users must provide 3 consequent HOTPs.
Download and install the Yubikey Personalization Tool from Yubico.
To download the Yubikey Personalization Tool, see the Yubico website.
Insert the Yubikey token.
Ensure that the token is recognized. The recognition is indicated by a message Yubikey is inserted at the top-right corner of the Personalization tool.
Select, generate the and .
In, select .
Clickand save the CSV file.
TOTP is a time based one time password. To configure the TOTP authenticator, you can specify the following parameters:
: The value to specify how often a new OTP is generated. The default value is 30 seconds. The maximum value for the OTP period is 360 seconds.
: The number of digits in the OTP token. The default value is 6 digits. The value must be the same as the tokens you are using.
: The value to specify the periods used by Advanced Authentication server for TOTP generation. For example, if you have a period of 30 and a window of 4, then the token is valid for 2*30 seconds before current time and 2*30 seconds after current time, which is ±2 minutes. These configurations are used because time can be out-of-sync between the token and the server and may impact the authentication. The maximum value for the OTP window is 64 periods.
IMPORTANT:It is not recommended to use an OTP window equal to 32 and higher for 4-digit OTP because it reduces security.
: Option to display the QR code for the TOTP enrollment of the software token in a format that is compatible with the Google Authenticator, Microsoft Authenticator, or the NetIQ Auth apps. When you disable the option, the displayed QR code can be scanned only with the NetIQ Auth smartphone app. Enable the option to allow enrollment with the Google Authenticator or Microsoft Authenticator apps. The QR code of Google Authenticator format can also be scanned with the NetIQ Auth app (supported by the last iOS and Android apps).
IMPORTANT:OTP format must be set to 6 digits when you use the Google Authenticator format of QR code.
: When you enable the option, the section is displayed on the TOTP enrollment page of the Self-Service portal with the following parameters: , , and . By default, the option is disabled and the settings are hidden. Enabling the option may result in security risks.
: This option allows to disable the manual enrollment of TOTP method in the Self-Service portal. The option is enabled by default. When enabled, the TOTP method is unavailable in the old Self-Service portal and not displayed in the new Self-Service portal.
: Enable this option to hide the OTP in rooted smartphone. By default, the option is disabled.
You must perform the following tasks to allow the users to enroll TOTP method using the Desktop OTP tool:
You can import the PSKC or CSV files. These token files contain token information. To import these files, perform the following steps:
Click PSKC or CSV file.and select a
Choose a. The options are:
: This file type must be compliant with OAuth. For example, HID OATH TOTP compliant tokens.
CSV File Format To Import OATH Compliant Tokens. You cannot use the YubiKey CSV files.: This file type must contain the format as described in
: In this file type, you must use one of the supported (see ) formats with comma as a delimiter.
Traditional format: In this file type,must be enabled.
Yubico format: This file type is supported only forset to and set to .
IMPORTANT:must not exceed 100000.
Add the encrypted PSKC files. For this, select or in and provide the information.You can select , if the PSKC file is not encrypted with either the password or key.
Clickto import tokens from the file.
NOTE:Advanced Authentication receives anfrom the imported tokens file and stores the information in the enrolled authenticator. Therefore, you need not change the default value of on the tab.
When the tokens are imported, you can see the list and you must assign the tokens to users. This can be done in the following two ways:
Clicknext to the token and select and click .
A user can self-enroll a token in the Self-Service portal. Administrator must let the user know an appropriate value from thecolumn for the self-enrollment.
NOTE:are not supported for the OATH tokens. Therefore, the configurations in the tab cannot be enforced on tenant administrators.
A CSV file, which is imported as OATH csv file in the > > > tab, must contain fields with the following parameters:
Token’s serial number
(Optional) Type of the token: TOTP or HOTP (by default HOTP)
(Optional) OTP length (default value is 6 digits)
(Optional) Time step (default value is 30 seconds)
Comma is a delimiter.
The following is an example of a CSV file:
Token001, 15d2fa517d3c6b791bd4cc2044c241429307001f Token002, 8c557fc050721037fd31e1d3345b5d3263263e0f, totp, 8 Token003, 658208efea5ac49d5331ba781e66f2c808cccc8e, hotp, 6 Token004, 89f0dfe1c90379da6a11aaca2fc1070f606efe36, totp, 6, 60
IMPORTANT:For the YubiKey tokens, you must use the traditional format of the CSV (check) with comma as a delimiter. Use Yubico csv file type ( ).