2.14 HOTP

HOTP is a counter-based one-time password. This method enables you to authenticate using the counter-based one-time password generated on the HOTP token. The counter on the token must be is in sync with the server. You can use generic HOTP tokens that adhere to RFC 4226. You must use the static secret key and three consequent OTP generated from the token to enroll. When you try to authenticate on any device, the OTP in the token is compared with the OTP generated in the server. If the OTPs are identical, you are authenticated successfully.

2.14.1 Enrolling the HOTP Authenticator

To enroll the HOTP authenticator, you must follow the recommendations of your system administrator. You can enroll HOTP in one of the following ways:

NOTE:If a token is already assigned to your account, enrollment is not required.

Using YubiKey Hardware Token

To enroll HOTP using YubiKey hardware token, perform the following steps:

  1. Click the HOTP icon in Add Authenticator.

  2. (Optional) Specify a comment related to HOTP authenticator in Comment.

  3. (Optional) Select the preferred category from Category.

  4. Specify the token serial number in OATH Token Serial.

  5. Specify the YubiKeyToken Key ID.

  6. Place the cursor in HOTP 1 and touch the button on YubiKey.

    OTP from YubiKey is inserted in HOTP 1 automatically.

  7. Repeat step 2 in HOTP 2 and HOTP 3 to insert consequent OTPs.

  8. Click Save.

    A message Authenticator "HOTP" has been added is displayed.

Using Software Token

To enroll HOTP using RFC 4226 compliant software token, perform the following steps:

  1. Click the HOTP icon in Add Authenticator.

  2. Specify first OTP that generated on the token in HOTP 1.

  3. Specify consequent OTPs from the token in HOTP 2 and HOTP 3.

  4. Specify 40 characters hexadecimal secret code in Secret (If you know).

  5. Click Save.

    A message Authenticator "HOTP" has been added is displayed.

Synchronizing Existing Token with HOTP Counter

If an existing token is assigned to your account, perform the following steps to synchronize the HOTP counter:

  1. Click the HOTP icon in Enrolled Authenticators.

  2. Specify first OTP in HOTP 1 that generated on the token. In case of YubiKey token, connect the hardware token to the system and perform the following steps:

    1. Place cursor in HOTP 1.

    2. Touch button on the token.

  3. Specify the consequent OTPs from the token in HOTP 2 and HOTP 3. In case of YubiKey token, repeat the steps 2a and 2b.

  4. Click Save.

Assigning a Token Serial To an Account

If administrator has uploaded the token details on the Advanced Authentication server and you have got the serial number of a token, perform the following steps to assign serial number to your account:

  1. Click the HOTP icon in Enrolled Authenticators.

  2. (Optional) Specify a comment related to HOTP authenticator in Comment.

  3. Specify the token's serial number in OATH Token Serial.

  4. Specify the three consequent OTPs in HOTP 1, HOTP 2, and HOTP 3 respectively.

  5. Click Save.

2.14.2 Testing the HOTP Authenticator

  1. Click the HOTP icon in Your Enrolled Single Methods for sign in.

  2. Click Test Method.

  3. Specify the OTP in Password.

    If the OTP is valid, a message Authenticator "HOTP" passed the test is displayed.

The following table describes the possible error message along with the workarounds for the HOTP authentication.

Table 2-7 HOTP authenticator - error messages

Error

Possible Cause and Workaround

Incorrect OTP password

If the specified OTP is incorrect or the counter on the token and server are not in sync. Specify a valid OTP and try to authenticate again

Cannot derive the counter. Check your three OTPs.

If one of the specified OTP is incorrect during the enrollment. Try to enroll again with the new OTPs.