Configuring a TOTP one-time password mechanism

The TOTP one-password mechanism relies on a public algorithm to generate the one-time password.

About this task

The TOTP client solution and the Security Access Manager use the same algorithm to generate the one-time password value. No interaction is required between the client software and the Security Access Manager solution. The algorithm uses a shared secret key and the time to generate the one-time password value. No delivery of the one-time password is required.

This task describes the steps and properties for configuring a TOTP mechanism. For information about configuring other one-time password providers, see:
Note: When users attempt to log in using HOTP or TOTP and submit an incorrect one-time password, they receive one strike against their account. This strike remains on their account for a configurable duration. By default, the duration is 10 minutes. After that duration, the strike is removed from their account. When users submit multiple incorrect one-time passwords, they can reach a maximum and are then prevented from making another attempt until one of their strikes expires. By default, the maximum is 5. If the users log in successfully, any strikes on their account are cleared. Strikes are shared between TOTP and HOTP. For example, if the users made two incorrect attempts using TOTP, those strikes count against them on HOTP as well. Because user retries affect only TOTP and HOTP logins, users who exceeded password attempt using those logins can still use other OTP provider logins or basic username/password authentication. You can modify the password retry settings through the Advanced Configuration settings in the local management interface. For more information, see Managing advanced configuration.


  1. Log in to the local management interface.
  2. Click Secure Access Control.
  3. Under Policy, click Authentication.
  4. Click Mechanisms.
  5. Click TOTP One-time Password.
  6. Click Modify.
  7. Click the Properties tab.
    1. Select a property that you want to configure.
    2. Click Modify.
    3. Enter the value for that property.
    4. Click OK.
  8. Take note of the properties for the mechanism.
    Generation Interval (seconds)
    The number of seconds an interval lasts. This number determines how long a one-time password is active before the next one-time password generates.

    The default is 30.

    Password Length
    The length of the generated one-time passwords, which can be 6 - 9 characters or numbers.

    The default is 6.

    Skew Intervals
    The skew intervals of the algorithm. The skew intervals consider any possible synchronization delay between the server and the client that generates the one-time password. For example, a skew interval of 2 means a one-time password in up to two intervals in the past, or two in the future are valid. For example, if it is interval 563, and intervals are 30 seconds, then one-time passwords for intervals 561-565 are computed and checked against within a range of 2.5 minutes.

    The default is 1.

    One Time Use
    Whether to cache one-time passwords if they are used to successfully log in. If set to true, then the reuse of a one-time password is prevented while it is in cache.

    The default is true.

    Generation Algorithm
    The algorithm that is used to generate the one-time password. Valid options include the following algorithms:
    • HmacSHA1
    • HmacSHA256
    • HmacSHA512

    The default is HmacSHA1.

    Secret key URL

    The URL that is used to deliver the secret key. The QR code is also generated using this URL. The URL format might include information specific to your environment, such as your company name.

    The default URL is:
    The URL supports the following macros and may be positioned wherever their corresponding values belong.
    The secret key.
    The user name of the authorized user who logs in.
    The one-time password generation algorithm.
    The one-time password length.
    The one-time password generation interval.

    A secret key URL example to utilize all macros is:

    Secret key attribute name
    The attribute name that is used for storage of the TOTP secret key in the database.

    Data type: String

    Example: otp.hmac.totp.secret.key

    Secret key attribute namespace
    The attribute namespace of the TOTP secret key. The namespace in combination with the attribute name constitutes the unique identifier for the attribute in the database.

    Data type: String

    Example: urn:ibm:security:otp:hmac

  9. Click Save.

What to do next

When you configure the mechanism, a message indicates that changes are not deployed. Deploy changes when you are finished. For more information, see Deploying pending changes.