2.26 TOTP

The TOTP method enables you to authenticate using the time-based-one-time password. TOTP is generated on the hardware token, Desktop OTP tool, or the mobile app, such as NetIQ Advanced Authentication app or Google Authenticator app. The TOTP is valid for a short duration. This method uses a predefined period. The default value is 30 seconds.

You can enroll the TOTP authenticator using the Desktop OTP tool. To initiate the tool, use the link that is sent from your administrator. You must click on the link and the Desktop OTP tool is prompted where you can enroll and create an account. While authenticating to any service, you must copy the OTP from the tool and use the OTP to get authenticated.

2.26.1 Enrolling the TOTP Authenticator

To enroll the TOTP authenticator, follow the recommendations of your system administrator. You can enroll TOTP method using any one of the following ways:

WARNING:The QR code format in the Advanced Authentication and Google Authenticator apps are different. Contact your system administrator to confirm the app recommended for enrollment.

NetIQ Advanced Authentication App

To enroll the TOTP authenticator using Advanced Authentication smartphone app, perform the following steps:

  1. Click the TOTP icon in Add Authenticator.

  2. (Optional) Specify a comment related to TOTP authenticator in Comment.

  3. (Optional) Select the preferred category from Category.

  4. Open the Advanced Authentication app on your phone.

  5. Tap Offline authentication.

  6. Tap + to add a new authenticator.

  7. Scan the QR code using the camera on your phone.

  8. Click Save in the Add TOTP authenticator page.

    A message Authenticator "TOTP" has been added is displayed.

  9. Tap the new authenticator and specify account name and additional details in Account and Additional info respectively in the app.

  10. Click Save.

    HINT:If you are unable to scan the QR code with Advanced Authentication app, perform the following steps:

    1. Zoom the page to 125 - 150%.

    2. Scan the zoomed QR code using Google Authenticator app.

      Ensure that the mouse cursor is not overlapping the QR code.

    If you are still unable to scan the QR code, contact your system administrator.

Google Authenticator App

To enroll the TOTP authenticator using Google Authenticator app, perform the following steps:

  1. Click the TOTP icon in Add Authenticator.

  2. (Optional) Specify a comment to TOTP authenticator in Comment.

  3. (Optional) Select the preferred category from Category.

  4. Open the Google Authenticator app on your phone.

  5. Tap BEGIN SETUP in the app.

  6. Tap Scan barcode to add a new authenticator in the app.

  7. Scan the QR code using the camera on your phone.

  8. Click Save.

    A message Authenticator "TOTP" has been added is displayed.

HINT:If you scan Advanced Authentication app compatible QR code with Google Authenticator app, a message Invalid barcode is displayed.

OATH Compliant Hardware Token

To enroll the TOTP authenticator using OATH compliant hardware token, perform the following steps:

  1. Click the TOTP icon in Add Authenticator.

  2. (Optional) Specify a comment related to TOTP authenticator in Comment.

  3. (Optional) Select the preferred category from Category.

  4. Specify the token's serial number in OATH Token Serial.

    You can find the serial number behind the token.

  5. Press the button on the token and specify the one-time password in OTP.

  6. Click Save.

    A message Authenticator "TOTP" has been added is displayed.

Enrolling TOTP Manually

  1. Click the TOTP icon in Add Authenticator.

  2. (Optional) Specify a comment related to TOTP authenticator in Comment.

  3. (Optional) Select the preferred category from Category.

  4. Click + adjacent to Specify the TOTP secret manually.

  5. Specify 40 hexadecimal characters in Secret.

  6. Set Google Authenticator format of secret (Base32) to ON to display the Google Authenticator app compatible QR code.

    By default, Google Authenticator format of secret (Base32) is set to OFF and Advanced Authentication app compatible QR code is displayed.

    NOTE:The administrator has privilege to configure the Google Authenticator format of secret (Base32) option in the Administration portal. But you can override the administrator configured setting.

  7. Set the preferred value in Period. 30 seconds is set by default.

  8. Click Save.

    A message Authenticator "TOTP" has been added is displayed.

NOTE:If the administrator has disabled the manual enrollment of TOTP in the Administration portal, then the Specify the TOTP secret manually section is not displayed.

Desktop OTP Tool

You can enroll the TOTP authenticator with the Desktop OTP tool in one of the following ways:

Before enrolling the TOTP authenticator using the link, ensure that NetIQ Desktop OTP tool is installed on your system.

Enrolling with a Link

  1. Check your registered email or phone for the enrollment link.

  2. Click on the link.

    You are directed to the Desktop OTP tool.

  3. Specify your LDAP repository or local username, password and optional comment in the NetIQ Advanced Authentication OTP Tool window.

  4. Click OK.

    The TOTP authenticator is created in the Desktop OTP tool and enrolled in the Self-Service portal.

Enrolling with a Secret Key

Advanced Authentication generates a secret key in the Specify the TOTP secret manually section of the Self-Service portal > TOTP > Add TOTP authenticator. You can enroll the TOTP authenticator manually with the Desktop OTP tool using this secret key as a seed.

  1. Click the TOTP icon in Add Authenticator.

  2. (Optional) Specify a comment related to the TOTP authenticator in Comment.

  3. (Optional) Select the preferred category from Category.

  4. Ensure the OATH Token Serial and OTP fields are empty.

  5. Click the + icon adjacent to Specify the TOTP secret manually.

  6. Click the lock icon adjacent to Secret and copy the 40 hexadecimal characters.

  7. Ensure the option Google Authenticator format of QR code (Key URI) is set to OFF

  8. Set the preferred value in Period. The default value is 30 seconds.

  9. Click Save.

    A message Authenticator "TOTP" has been added is displayed.

  10. Launch the Desktop OTP tool.

  11. Click Add by seed.

  12. Perform the following in the NetIQ Advanced Authentication OTP Tool window:

    • Specify a brief description related to the TOTP authenticator in Description.

    • Specify the length of OTP in Number of digits (4 -10). Ensure that the value in the Number of digits field of the OTP tool is the same as the OTP format configured in the Administration portal.

    • Specify the time interval to generate a new OTP in Period (sec). Ensure that the value in Period is the same in both the OTP tool and Self-Service portal.

    • Paste the secret in Secret (hex string) that you copied in Step 5.

  13. Click OK.

    This creates the TOTP authenticator in the Desktop OTP tool.

2.26.2 Testing the TOTP Authenticator

  1. Click the TOTP icon in Enrolled Authenticators.

  2. Click Test.

  3. Specify one-time password in Password.

  4. Click Next.

    If the test is successful, a message Authenticator "TOTP" passed the test is displayed. If the one-time password is invalid or the server time is not in sync, a message Incorrect OTP password is displayed.