TOTP key

This secret key allows an application to generate a TOTP value that can then be verified when you authenticate since both the user profile and the application that generates your TOTP value have the same secret key. A user must have a TOTP key before their user profile authentication method can be set to *TOTP.

The user’s TOTP key is encrypted using AES with a 32-byte derived key before being stored in an internal control block. The control block is protected with the strongest mechanism available to the IBM i operating system running on the Power® hardware. A capability that is called Hardware Storage Protection (HSP) is used to protect the control block. The HSP capability is protection that is built into the Power hardware and enforced by the hardware itself. The HSP value that is used is called "no access from user state" and "protect at all security levels". This HSP protection value keeps all user level code out of the control block (no read or write access) but allows the operating system to read/write the control block. This protection is always activated as the control block is protected at all security levels. If user level code tries to access the control block, the hardware would send an exception and the Licensed Internal Code would send an error to the user level code (and access would be denied).