3.26 TOTP

The TOTP method enables you to authenticate using the time-based-one-time password. TOTP is generated on the hardware token, Desktop OTP tool, or the mobile app, such as NetIQ Advanced Authentication app or Google Authenticator app. The TOTP is valid for a short duration. This method uses a predefined period. The default value is 30 seconds.

You can enroll the TOTP authenticator using the Desktop OTP tool. To initiate the tool, use the link that is sent from your administrator. You must click on the link and the Desktop OTP tool is prompted where you can enroll and create an account. While authenticating to any service, you must copy the OTP from the tool and use the OTP to get authenticated.

3.26.1 Enrolling the TOTP Authenticator

To enroll the TOTP authenticator, follow the recommendations of your system administrator. You can enroll TOTP method using any one of the following ways:

WARNING:The QR code format in the Advanced Authentication and Google Authenticator apps are different. Contact your system administrator to confirm the app recommended for enrollment.

NetIQ Advanced Authentication App

To enroll the TOTP authenticator using Advanced Authentication smartphone app, perform the following steps:

  1. Click the Add icon in Your Enrolled Single Methods for sign in on the Authentication Methods page.

  2. Click the TOTP icon in Available Methods for Enrollment.

  3. (Optional) Specify Display Name for ease of locating the authenticator.

  4. Click Get QR Code

  5. Open the Advanced Authentication app on your phone.

  6. Tap Offline authentication.

  7. Tap + to add a new authenticator.

  8. Scan the QR code using the camera on your phone.

  9. Click Save in the Add TOTP authenticator page.

    A message The "TOTP" authenticator has been saved is displayed.

  10. Tap the new authenticator and specify account name and additional details in Account and Additional info respectively in the app.

  11. Click Save.

    HINT:If you are unable to scan the QR code with Advanced Authentication app, perform the following steps:

    1. Zoom the page to 125 - 150%.

    2. Scan the zoomed QR code using Google Authenticator app.

      Ensure that the mouse cursor is not overlapping the QR code.

    If you are still unable to scan the QR code, contact your system administrator.

Google Authenticator App

To enroll the TOTP authenticator using Google Authenticator app, perform the following steps:

  1. Click the Add icon in Your Enrolled Single Methods for sign in on the Authentication Methods page.

  2. Click the TOTP icon in Available Methods for Enrollment.

  3. (Optional) Specify Display Name for ease of locating the authenticator.

  4. Specify any identifier text in Service Name that helps you to locate the authenticator quickly and easily when there are more than one authenticator on the application. This is used when you use third-party application to enroll TOTP authentication like Google Authenticator, Microsoft Authenticator.

  5. Specify the user name in Account Name. This name appears on the application post enrollment and helps you to identify the account when there are more than one authenticator on the application.

  6. Open the Google Authenticator app on your phone.

  7. Tap BEGIN SETUP in the app.

  8. Tap Scan barcode to add a new authenticator in the app.

  9. Scan the QR code using the camera on your phone.

  10. Click Save.

    A message The "TOTP" authenticator has been saved is displayed.

HINT:If you scan Advanced Authentication app compatible QR code with Google Authenticator app, a message Invalid barcode is displayed.

OATH Compliant Hardware Token

To enroll the TOTP authenticator using OATH compliant hardware token, perform the following steps:

  1. Click the Add icon in Your Enrolled Single Methods for sign in on the Authentication Methods page.

  2. Click the TOTP icon in Available Methods for Enrollment.

  3. (Optional) Specify Display Name for ease of locating the authenticator.

  4. (Optional) Select the preferred category from Category.

  5. Specify the token's serial number in OATH Token Serial Number.

    You can find the serial number behind the token.

  6. Press the button on the token and specify the one-time password in OTP.

  7. Click Finish.

    A message The "TOTP" authenticator has been saved is displayed.

Enrolling TOTP Manually

  1. Click the Add icon in Your Enrolled Single Methods for sign in on the Authentication Methods page.

  2. Click the TOTP icon in Available Methods for Enrollment.

  3. (Optional) Specify a comment related to TOTP authenticator in Comment.

  4. (Optional) Select the preferred category from Category.

  5. Click + adjacent to Specify the TOTP secret manually.

  6. Specify 40 hexadecimal characters in Secret.

  7. Set Google Authenticator format of secret (Base32) to ON to display the Google Authenticator app compatible QR code.

    By default, Google Authenticator format of secret (Base32) is set to OFF and Advanced Authentication app compatible QR code is displayed.

    NOTE:The administrator has privilege to configure the Google Authenticator format of secret (Base32) option in the Administration portal. But you can override the administrator configured setting.

  8. Set the preferred value in Period. 30 seconds is set by default.

  9. Click Save.

    A message The "TOTP" authenticator has been saved is displayed.

NOTE:If the administrator has disabled the manual enrollment of TOTP in the Administration portal, then the Specify the TOTP secret manually section is not displayed.

Desktop OTP Tool

Before enrolling the TOTP authenticator using the link, ensure that NetIQ Desktop OTP tool is installed on your system.

  1. Check your registered email or phone for the enrollment link.

  2. Click on the link.

    You are directed to the Desktop OTP tool.

  3. Specify your LDAP repository or local username, password and optional comment in the NetIQ Advanced Authentication OTP Tool window.

  4. Click OK.

    The TOTP authenticator is created in the Desktop OTP tool and enrolled in the Self-Service portal.

3.26.2 Testing the TOTP Authenticator

  1. Click the TOTP icon in Your Enrolled Single Methods for sign in.

  2. Click Test Method.

  3. Specify one-time password in Password.

  4. Click Next.

    If the test is successful, a message Test Successful is displayed. If the one-time password is invalid or the server time is not in sync, a message Incorrect OTP password is displayed.