Configuring an HOTP one-time password mechanism

Edit online

The HOTP one-password mechanism relies on a public algorithm to generate the one-time password.

About this task

The HOTP client solution and Security Verify Access use the same algorithm to generate the one-time password value. No interaction is required between the client software and the Security Verify Access solution. The algorithm uses a shared secret key and a counter to generate the one-time password value. Every time a new one-time password is generated, the counter value increments on both server and client solutions. No delivery of the one-time password is required.

This task describes the steps and properties for configuring a HOTP mechanism. For information about configuring other providers, see:
Note: When users attempt to log in using HOTP or TOTP and submit an incorrect one-time password, they receive one strike against their account. This strike remains on their account for a configurable duration. By default, the duration is 10 minutes. After that duration, the strike is removed from their account. When users submit multiple incorrect one-time passwords, they can reach a maximum and are then prevented from making another attempt until one of their strikes expires. By default, the maximum is 5. If the users log in successfully, any strikes on their account are cleared. Strikes are shared between TOTP and HOTP. For example, if the users made two incorrect attempts using TOTP, those strikes count against them on HOTP as well. Because user retries affect only TOTP and HOTP logins, users who exceeded password attempt using those logins can still use other OTP provider logins or basic username/password authentication. You can modify the password retry settings through the Advanced Configuration settings in the local management interface. For more information, see Managing advanced configuration.

Procedure

  1. Log in to the local management interface.
  2. Click AAC.
  3. Under Policy, click Authentication.
  4. Click Mechanisms.
  5. Click HOTP One-time Password.
  6. Click Modify.
  7. Click the Properties tab.
    1. Select a property that you want to configure.
    2. Click Modify.
    3. Enter the value for that property.
    4. Click OK.
  8. Take note of the properties for the mechanism.
    HOTP
    Max Counter Lookahead
    The number of times to increment the counter to see whether the one-time password is valid before stopping. Any non-negative number is valid.

    The default is 25.

    Password Length
    The length of the generated one-time passwords, which can be 6 - 9 characters or numbers.

    The default is 6.

    Generation Algorithm
    The algorithm that is used to generate the one-time password. Valid options include the following algorithms:
    • HmacSHA1
    • HmacSHA256
    • HmacSHA512

    The default is HmacSHA1.

    Secret key URL

    The URL that is used to deliver the secret key. The QR code is also generated using this URL. The URL format might include information specific to your environment, such as your company name.

    The default URL is:
    otpauth://hotp/Example:@USER_NAME@?secret=@SECRET_KEY
@&issuer=Example&counter=0
    The URL supports the following macros and may be positioned wherever their corresponding values belong.
    @SECRET_KEY@
    The secret key.
    @USER_NAME@
    The user name of the authorized user who logs in.
    @ALGORITHM@
    The one-time password generation algorithm.
    @DIGITS@
    The one-time password length.

    A secret key URL example to utilize all macros is:

    otpauth://hotp/Example:@USER_NAME@?secret=@SECRET_KEY@&issuer=Example
&counter=0&algorithm=@ALGORITHM@&digits=@DIGITS@
    Secret key attribute name
    The attribute name that is used for storage of the HOTP secret key in the database.

    Data type: String

    Example: otp.hmac.hotp.secret.key

    Secret key attribute namespace
    The attribute namespace of the HOTP secret key. The namespace in combination with the attribute name constitutes the unique identifier for the attribute in the database.

    Data type: String

    Example: urn:ibm:security:otp:hmac

    Login Template Page
    Override the path of the login template page that displays the form where the user can enter the one-time password. This config enables customization of the page branding or user experience.

    If no path is specified, the default path /authsvc/authenticator/hotp/login.html is used.

    Error Template Page
    Override the path of the error template page that displays errors during the one-time password authentication. This config enables customization of the page branding or user experience.

    If no path is specified, the default path /authsvc/authenticator/hotp/error.html is used.

  9. Click Save.

What to do next

When you configure the mechanism, a message indicates that changes are not deployed. Deploy changes when you are finished. For more information, see Deploying pending changes.