Configuring a TOTP one-time password mechanism
The TOTP one-password mechanism relies on a public algorithm to generate the one-time password.
About this task
The TOTP client solution and the Security Access Manager use the same algorithm to generate the one-time password value. No interaction is required between the client software and the Security Access Manager solution. The algorithm uses a shared secret key and the time to generate the one-time password value. No delivery of the one-time password is required.
This task describes the steps and properties for configuring a TOTP mechanism. For information about configuring other one-time password providers, see:- Configuring a MAC one-time password mechanism
- Configuring an HOTP one-time password mechanism
- Configuring an RSA one-time password mechanism
Note: When users attempt to log in using HOTP or TOTP and submit
an incorrect one-time password, they receive one strike against their
account. This strike remains on their account for a configurable duration.
By default, the duration is 10 minutes. After that duration, the strike
is removed from their account. When users submit multiple incorrect
one-time passwords, they can reach a maximum and are then prevented
from making another attempt until one of their strikes expires. By
default, the maximum is 5. If the users log in successfully, any
strikes on their account are cleared. Strikes are shared between
TOTP and HOTP. For example, if the users made two incorrect attempts
using TOTP, those strikes count against them on HOTP as well. Because
user retries affect only TOTP and HOTP logins, users who exceeded
password attempt using those logins can still use other OTP provider
logins or basic username/password authentication. You can modify the
password retry settings through the Advanced Configuration settings
in the local management interface. For more information, see Managing advanced configuration.