TOTP is a time based one time password. To configure the TOTP authenticator, you can specify the following parameters:
OTP period (sec): The value to specify how often a new OTP is generated. The default value is 30 seconds. The maximum value for the OTP period is 360 seconds.
OTP format: The number of digits in the OTP token. The default value is 6 digits. The value must be the same as the tokens you are using.
OTP window: The value to specify the periods used by Advanced Authentication server for TOTP generation. For example, if you have a period of 30 and a window of 4, then the token is valid for 2*30 seconds before current time and 2*30 seconds after current time, which is ±2 minutes. These configurations are used because time can be out-of-sync between the token and the server and may impact the authentication. The maximum value for the OTP window is 64 periods.
IMPORTANT:It is not recommended to use an OTP window equal to 32 and higher for 4-digit OTP because it reduces security.
Google Authenticator format of QR code (Key URI): Option to display the QR code for the TOTP enrollment of the software token in a format that is compatible with the Google Authenticator, Microsoft Authenticator, or the NetIQ Advanced Authentication apps. When you disable the option, the displayed QR code can be scanned only with the NetIQ Advanced Authentication app. Enable the option to allow enrollment with the Google Authenticator or Microsoft Authenticator apps. The QR code of Google Authenticator format can also be scanned with the NetIQ Auth app (supported by the last iOS and Android apps).
IMPORTANT:OTP format must be set to 6 digits when you use the Google Authenticator format of QR code.
Allow manual enrollment: When you enable the option, the Specify the TOTP secret manually section is displayed on the TOTP enrollment page of the Self-Service portal with the following parameters: Secret, Period, and Google Authenticator format of secret (Base32). By default, the option is disabled and the settings are hidden. Enabling the option may result in security risks.
Disable self enrollment: This option allows to disable the manual enrollment of TOTP method in the Self-Service portal. The option is enabled by default. When enabled, the TOTP method is unavailable in the old Self-Service portal and not displayed in the new Self-Service portal.
Hide TOTP on a rooted smartphones: Enable this option to hide the OTP in rooted smartphone. By default, the option is disabled.
You must perform the following tasks to allow the users to enroll TOTP method using the Desktop OTP tool: