The One time password feature enables the users to create a secret when they enroll the device
You can enable one time password (OTP) so that users can use it to reset their password during forgotten password process. You can enable OTP through a mobile application for authentication. To use this feature, you require the mobile application that has rfc6238 generator such as, Google Authenticator, OTP Authenticator and so on.
To use the OTP feature the configuration for the Verification Methods setting must be set to Required and when the users log in, they must enroll the mobile device.
NOTE:The time (in seconds) for LDAP server, SSPR server and mobile device must be synchronized because the 6-digit TOTP is valid only for 30 seconds. The time difference of 5 seconds is acceptable.
You can choose to include challenge response or OTP for forgotten password process by using the Verification Methods settings under Forgotten Password Profiles. For more information about Forgotten Password Profiles, refer Configuring Forgotten Password Policy for a Profile.
To configure one time password, perform the following:
On the Configuration Editor page, click Settings > One Time Password
On the right pane configure the following settings:
|
Field |
Description |
|---|---|
|
Enable One Time Passwords |
Enable this setting if you want to enable and configure the one time password settings. |
|
Force Setup of One Time Passwords |
Select the appropriate option from the drop down list. If one time password is enabled, the user will be directed to configure a one time password secret when logging in. The user is forced to configure one time password if they do not have a current valid secret stored. Force Setup: Select this setting if you want the user to configure one time password when they log in for the first time. Force Setup-but allow user to skip: Select this setting if you want to provide option to the user to either configure one time password or skip the configuration for one time password when they log in for the first time. If the verification method specified in the forgotten password policy is set to challenge/ response as required and OTP as optional, then users are prompted to enroll for OTP but have an option to skip enrolling. Do not force setup: Select this setting if you do not want to force the user to configure one time password when they log in. |
|
OTP Secret Read Location |
Specify the location from where SSPR reads the one time password secret. |
|
OTP Secret Write Location |
Select the location where SSPR saves the one time password secret. The storage method gets saved when users configure their response answers. |
|
Token Storage Method |
Select the storage format that must be used to save the one time password secrets. PWM JSON: Select this to store the secret, descriptions and recovery codes in PWM native (json) format. Base32 secret: Select this to store only the TOTP secret as a base32 encoded string. This format does not support recovery codes or counter based tokens. OTP URL: Select this to store only the TOTP secret as a base32 encoded string. This format does not support recovery codes or counter based tokens. PAM text: Select this to store the secret, descriptions and recovery codes in the text file format, which the Google Authenticator PAM module uses. |
|
Encrypt OTP secret |
Enable this setting to encrypt the OTP secret. The Security Key is used for encrypting and decrypting token information. Different application instances must use the same Security Key. If the security Key is changed, the stored OTP password cannot be used. |
|
OTP Secret LDAP Attribute |
Specify the LDAP attribute for storing the OTP secret. This setting is used only when the storage method is set to LDAP. |
|
OTP Secret Setup Permission |
Set an LDAP search filter query for the users who are allowed to set up an OTP secret. You can add multiple filters by providing the object class. You can also search users by providing the LDAP group name. You can add multiple filters, and groups. To view the list users who match the query. |
|
OTP Secret Identifier |
Specify the user identifier that should be linked to the secret stored. You can use macros such as, @User:Email@ |
|
OTP Recovery Codes |
Number of OTP recovery codes to supply to user. Recovery codes can be used one time each to authenticate and are intended for occasions when the user looses access to their OTP device. Set to zero to disable recovery codes. Not all storage formats support recovery codes. |