The one-time password feature (OTP) enables the users to create a secret when they enroll their mobile devices. Also, you can enable OTP so that users can use it to reset their password during forgotten password process. You can enable OTP through a mobile application for authentication. To use this feature, you need the mobile application that has the rfc6238 generator. For example, Google Authenticator or OTP Authenticator.
To use the OTP feature the configuration for the Verification Methods setting must be set to Required and when the users log in, they must enroll their mobile devices.
NOTE:The time (in seconds) for LDAP server, Self Service Password Reset server and mobile device must be synchronized because the 6-digit TOTP is valid only for 30 seconds. The time difference of 5 seconds is acceptable.
You can choose to include challenge response or OTP for forgotten password process by using the Verification Methods settings under Forgotten Password Profiles. For more information about Forgotten Password Profiles, see Configuring a Profile for Forgotten Password Policy.
To configure one-time password:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor > Settings > One Time Password.
Configure the following fields:
Enable this option if you want to enable and configure the one-time password settings.
Select the appropriate option from the list.
Select this option if you want the user to configure one-time password when they log in for the first time.
Select this option if you want to provide option to the user to either configure one-time password or skip the configuration for one-time password when they log in for the first time.
If the verification method specified in the forgotten password policy is set to challenge-response as required and OTP as optional, then users are prompted to enroll for OTP but have an option to skip enrolling.
Select this option if you do not want to force the user to configure one-time password when they log in.
Self Service Password Reset forces the user to configure one-time password if they do not have a current valid secret stored, even if you select Do not force setup.
Select where to read the OTP secret. If you select an option with multiple values, each location is read in turn until the system finds a stored response.
Select the location where to write the OTP secret. Self Service Password Reset writes to all storage methods when the users configure their response answers.
Select the storage format that must be used to save the one-time password secrets.
Select this option to store the secret, descriptions, and recovery codes in PWM native (json) format.
Select this option to store only the TOTP secret as a base32 encoded string. This format does not support recovery codes or counter based tokens.
Select this option to store only the TOTP secret as a base32 encoded string. This format does not support recovery codes or counter based tokens.
Select this option to store the secret, descriptions, and recovery codes in the text file format, which the Google Authenticator PAM module uses.
Enable this option to encrypt the OTP secret. Self Service Password Reset uses the Security Key for encrypting and decrypting token information. Different application instances must use the same Security Key. If you change the Security Key, Self Service Password Reset cannot use the stored OTP password.
Specify the LDAP attribute for storing the OTP secret. Only use this setting when the storage method is set to LDAP.
Set an LDAP search filter query for the users who are allowed to set up an OTP secret. You can add multiple filters by providing the object class. You can also search users by providing the LDAP group name.
You can add multiple filters, and groups. To view the list users who match the query click View Matches.
Specify the user identifier that must be linked to the secret stored. You can use macros such as, @User:Email@
Specify the number of OTP recovery codes to supply to users. Users can use recovery codes one-time each to authenticate and are intended for occasions when the users lose access to their OTP devices. Specify 0 to disable recovery codes. Not all storage formats support recovery codes.
Select Save changes.