Configuring an OTP enrollment mechanism

Edit online

Use this mechanism to add TOTP or HOTP enrollments by using a QR code or a manual code.

About this task

This task describes the steps and properties for configuring an OTP Enrollment mechanism. For more information about authenticating with these enrollments, see:

Procedure

  1. Log in to the local management interface.
  2. Click AAC.
  3. Under Policy, click Authentication.
  4. Click Mechanisms.
  5. Click OTP Enrollment.
  6. Click Modify.
  7. Click the Properties tab.
    1. Select a property that you want to configure.
    2. Click Modify.
    3. Enter the value for that property.
    4. Click OK.
  8. Note the properties for the mechanism.
    TOTP
    Generation Interval
    The number of seconds an interval lasts. This number determines how long a one-time password is active before the next one-time password generates.

    The default is 30.

    Common
    Password Length
    The length of the generated one-time passwords, which can be 6-9 characters or numbers.

    The default is 6.

    Generation Algorithm
    The algorithm that is used to generate the one-time password. Valid options include the following algorithms:
    • HmacSHA1
    • HmacSHA256
    • HmacSHA512

    The default algorithm is HmacSHA1.

    Secret key URL
    The URL that is used to deliver the secret key. The QR code is also generated by using this URL. The URL format can include information specific to your environment, such as your company name.
    The default URL is:
    otpauth://@OTP_METHOD@/Example:@USER_NAME@?secret=@SECRET_KEY@&issuer=Example&algorithm=@ALGORITHM@&digits=@DIGITS@&period=@PERIOD@&counter=0
    The URL supports the following macros and can be positioned wherever their corresponding values belong.
    @SECRET_KEY@
    The secret key.
    @USER_NAME@
    The username of the authorized user who logs in.
    @ALGORITHM@
    The one-time password generation algorithm.
    @DIGITS@
    The one-time password length.
    @PERIOD@
    The one-time password generation interval.
    @COUNTER@
    The one-time password counter.
    Secret key attribute namespace
    The attribute namespace of the secret key. The namespace is combined with the attribute name to create the identifier for the attribute in the database.
    For example, 
    urn:ibm:security:otp:hmac
    Secret Key Length
    The length of the secret key, which can be set to 16, 32 or 64.

    The default setting is 32.

    Type
    The type of enrollment to offer to the user. Valid values include totp, hotp, or both. If set to both, the mechanism prompts the user to choose between TOTP or HOTP. If set to a specific type, the choice is skipped.

    The default setting is both.

    Enrollment Template Page
    The path of the template page that is sent to the user with the QR code and manual code.

    The default path is /authsvc/authenticator/otp/enroll.html.

    Error Template Page
    The path of the template page that is sent to the user when an error occurs.

    The default path is /authsvc/authenticator/otp/error.html.

    Enable Re-enrollment
    If set to true, when a user attempts to add a second enrollment of the same type and that uses the same Secret Key Attribute Name and Namespace, the pre-existing enrollment is removed. If false, an error is returned instead.

    The default setting is false.

    Validate Enrollment
    If true, OTP validation is required after enrollment, but before the enrollment is saved.

    The default setting is true.

  9. Click Save.

What to do next

When you configure one-time password providers, a message indicates that changes are not deployed. If you finished making changes, deploy them. For more information, see Deploying pending changes.