Configuring users for TOTP authentication

You must enable existing users with the IBM® MFA policies that you require.

About this task

To enable users for TOTP authentication, complete the following steps:

Procedure

  1. In the IBM MFA GUI, click the User Provisioning tab.
  2. Click the plus sign (+) control.
  3. Enter the ID for the user. The ID is the user name associated with the effective client user ID. IBM MFA automatically saves the user ID in lowercase.
  4. Enter the Name for the user. This is a name of your choice.
  5. Enter an MFA password of your choice, if applicable. The MFA password is a special password that allows the user to log in to the IBM MFA server for IBM MFA-specific actions. This password is unique to the IBM MFA server.
    Note: In this release of IBM MFA, the IBM MFA password is needed only for enrolling tokens for TOTP and Yubico OTP, and for password authentication with the PAM authentication method. If the user is not using these authentication methods, you can leave this password blank.
  6. Click Save.
  7. The Policies table shows all of the policies assigned to the user. Click + in the Policies section.
    The All Policies table shows all of the available policies.
  8. Select one or more policies.
    Important: For PAM client authentication, if you do not assign one or more authentication methods, the user is treated as if password fallback is enabled, irrespective of the password fallback setting for that user account. For information about password fallback, see Setting password fallback.
  9. Click Confirm.
    The Authentication Methods table lists the configured authentication methods for the policy.
  10. Select the TOTP authentication method.
  11. Click the Edit icon.
  12. You are prompted for the user-specific authentication method settings.
    Table 1. User-specific TOTP settings
    Tag Description
    Registration state Set this to OPEN.
    Digest algorithm Select the digest algorithm.
    Number of Digits Select the number of digits in the generated token.
  13. Click Confirm.
  14. Set Active to On for the authentication method.
  15. Click Confirm.
  16. The CTC Failure Count is the number of times a user consecutively fails to provide a valid credential, based on the Max CTC Check Failures Before Suspension setting in Configuring server options. If the user exceeds this limit, the Suspended control it set. You must disable the Suspended control before the user can log in.