The Time-Based One-Time Password (TOTP) tool in CloudAccess supports the use of one-time passwords (OTPs) for two-factor authentication of users as they access applications through CloudAccess. With two-factor authentication, users must provide two categories of authentication factors before they can access the applications. The authentication factors used by the TOTP tool are:
Something the user knows: The first authentication factor requires something the user knows, such as the password for the user’s single-sign-on user name.
Something the user has: The second authentication factor requires something the user has, such as a mobile device running Google Authenticator to generate time-based one-time passwords.
Google Authenticator is a free software-token app that users deploy on their mobile devices. Authenticator generates time-based OTPs for authentication, without requiring an Internet connection or cellular service.
If users construct strong passwords and protect them, one-factor authentication can be an effective measure against security breaches. Two-factor authentication provides an additional layer of security to help ensure the identity of a user and reduce the risk of unauthorized access to your applications and data. Users still enjoy the convenience of single sign-on, but the access is more secure.
The following sections describe how to set up and use TOTP for CloudAccess:
You can enable the Time-Based One-Time Password tool to require users to use two-factor authentication when logging in through CloudAccess.
To configure the TOTP tool:
Log in with an appliance administrator account to the administration console at https://appliance_dns_name/appliance/index.html.
Drag the TOTP Tool icon from the Tools palette to the Tools panel.
Click the TOTP icon on the Tools panel, then click Configure.
(Optional) Specify the Validity Time.
Specify an integer value from 2 to 10. The default value is 5. Shorter validity times are considered more secure.
Click the Applications tab, then select the check box next to one or more applications to enable them for TOTP.
By default, no applications are enabled for TOTP.
When a user registers an authentication device, the device and authentication codes apply to all TOTP-enabled applications.
Click OK to save the setting and enable the TOTP tool.
Click Apply to activate the TOTP configuration.
Wait while the service is activated across all nodes in the cluster. Do not attempt other configuration actions until the activation completes successfully.
In the Appliances pane, a green gear icon spins on top of each node until the activation is complete across all nodes in the cluster.
After you enable the TOTP tool, users are prompted to register a device to use for the additional verification the next time they sign in to CloudAccess. Each user must register a mobile device for generating the user’s one-time passwords. For the initial setup, the user should use a web browser on a computer other than the mobile device where the one-time passwords will be generated.
The One-Time Authentication code page displays a QR code and its equivalent secret key. The user deploys the Google Authenticator app on a mobile device, and sets up an account for CloudAccess by using the shared key. The user can scan the QR code or manually enter the key. When the app runs, it generates a new one-time password every 30 seconds.
Before registering a device, the following setup is required:
The user must be an authorized user of CloudAccess with a valid user name and password.
The user must have access to a computer running a supported web browser.
For a list of supported web browsers, see Table 2-2, Product Requirements.
The user must use a supported mobile device.
For a list of supported mobile device platforms, see Table 2-2, Product Requirements.
The user must install the Google Authenticator app on the mobile device.
To register a mobile device for use with the TOTP tool:
(Conditional) If the Google Authenticator mobile app is not already installed on the mobile device, download and install it.
Visit the app store for your mobile device.
Search for Google Authenticator.
Download and install the app.
From a computer that will not be used as the OTP device, access CloudAccess either directly or through a SAML2 redirect.
On the CloudAccess login page, enter your network user name and password (your normal identity source login credentials).
A message displays a QR code (and its equivalent secret key) to use for the TOTP registration.
If you are not prepared to register your mobile device at this time, you can cancel the registration process by closing the tab or your browser. On your next login, CloudAccess generates a new secret key, and prompts you to register a device with a new key.
On your mobile device, use the Google Authenticator app to scan the displayed QR code, and register the device with CloudAccess. You can alternatively type the secret key.
On your mobile device, open the Google Authenticator app.
Select Settings > Add an account.
Use either of the following methods to configure the account:
Scan a barcode:
Select Scan a barcode.
Use your device’s camera to scan the QR code that appears on the CloudAccess One-Time Authentication Code page.
Enter provided key:
Select Time Based.
Select Enter provided key.
Type the 16-character secret key that appears on the CloudAccess One-Time Authentication Code page. The key is case sensitive. Do not add spaces or stray characters.
Specify a unique name for the account.
Tap Done.
On the mobile device, view the 6-character code that Google Authenticator displays for CloudAccess. This is your OTP.
On the computer on the One-Time Authentication Code page, type the OTP, then click Sign In.
CloudAccess confirms that the mobile device is registered, and the login is successful.
If the code does not validate, the registration page is redisplayed with the current secret key. You can generate a new code, and try again. The code might not validate if you enter an expired code, you do not enter a code, you mistype the code, or you make an error when setting up the secret key for the account in Google Authenticator.
To log in to your account from the mobile device, log in to CloudAccess as described in Using Two-Factor Authentication at Login.
On successful authentication, you can access the apps icons for the authorized services and resources associated with your user identity. Access is granted only for the duration of that session.
To deregister a mobile device:
Access CloudAccess, either directly or through a SAML2 redirect.
Log in and authenticate as described in Using Two-Factor Authentication at Login.
Click the My Devices icon.
In the Registered Devices list, select the mobile device.
Click the Delete icon for the device.
In the Unregister Device window, click OK to confirm.
At your next login, CloudAccess prompts you to register a device before you can access applications that require two-factor authentication.
When two-factor authentication is enabled for CloudAccess, a user must provide login credentials and a one-time authentication code to gain access to TOTP-enabled applications. The code is a 6-digit number generated for CloudAccess by the Google Authenticator app that is running on the user’s mobile device. The user must have already registered the mobile device with CloudAccess, as described in Registering a Mobile Device with the TOTP Tool for OTP Generation.
The user should enter the newly generated code as soon as possible after it appears in the Google Authenticator app. Each OTP is intended for use by only one user, is valid for 30 seconds, and becomes invalid after the user successfully logs in. Access is granted only for the duration of that session.
To log in to CloudAccess using two-factor authentication:
Access CloudAccess, either directly or through a SAML2 redirect.
On the login page, enter your network user name and password (your normal identity source login credentials).
CloudAccess verifies the credentials against a defined identity source. If all applications require two-factor authentication, the One-Time Authentication Code page appears and prompts you to enter the code. Otherwise, CloudAccess displays the page when you first click any one of the applications that require it.
Use Google Authenticator to generate a new one-time password, and enter the code on the CloudAccess One-Time Authentication Code page.
If you enter the password incorrectly, you can try again with the same password until it times out. Google Authenticator generates a new OTP every 30 seconds.
On successful authentication, you can access the apps icons for the authorized services and resources associated with your user identity. Each session requires only a single successful authentication.
Each user can register a single device to use for generating one-time passwords. Resetting a device for a user’s account unregisters the user’s current device. The next time the user logs in, the TOTP tool creates a new secret key for the account.
An administrator can reset a device for a user account:
To allow the user to register a different device
To revoke access for a registered device that is lost or stolen
Information about a user’s registered device and secret key is part of the user’s identity information in the identity source. This information is deleted automatically if a user’s identity object is permanently deleted from the identity source. The information is stored with the user’s object if the user’s identity object is disabled.
If the Time-Based One-Time Password tool is disabled, CloudAccess no longer prompts the users for an OTP at login. However, information about a user’s registered device and secret key continue to be stored in the users’ identity objects in the identity source. The OTPs generated for the user’s CloudAccess account by the Google Authenticator app are no longer needed at login.
After a device is unregistered, the OTPs generated for the user’s CloudAccess account by the Google Authenticator app are no longer valid. At the user’s next login, the TOTP tool generates a new secret key for the user, and the user must register a device to work with it.
Users can reset a device for their own account, and do not need administrator approval or permission to reset a Google TOTP registration. However, administrators can also reset or unregister devices for other users as needed.
To reset (unregister) a device for your own account:
Log in with your appliance user name and password.
Click your name in the top right corner to display the drop-down menu.
Click Reset One Time Password.
Click Yes to confirm that you want to reset your TOTP password.
To reset (unregister) a device for a user account as an administrator user:
Log in with an appliance administrator account to the administration console at https://appliance_dns_name/appliance/index.html.
Click the Devices icon.
In the User field, type in the user name of the account for which you need to reset TOTP.
Click Reset One Time Password for First-name Last-name.