Preparing user devices for TOTP authentication
You must prepare each user's device for TOTP.
Procedure
- Instruct users to install a QR code application such as IBM® Verify, Google Authenticator, or Duo Mobile on their device.
-
Instruct the user to open the TOTP start page in a desktop web browser and to log in with their
user name and their MFA password. The MFA password is a special password that allows the user to log
in to the IBM MFA server for IBM MFA-specific actions. For example:
https://hostname:6793/AZFTOTP1/genericStart
A page that contains the AuthURL URL and the encoded QR code is displayed. -
Instruct the user to point their device at the generated QR code and scan it with the
application.
The application displays the TOTP code.
- Instruct the user to enter the TOTP code on the web page and click Generic TOTP Enrollment.
-
If an error occurs, the user is prompted to retry enrollment. In this case, for the greatest
compatibility with QR applications, first set the following parameter values:
- Digest Algorithm SHA1
- Token Digits 6
- Token Period Seconds 30
If an error occurs, instruct the user to click Retry enrollment. - If the enrollment is successful, the message "New TOTP token has been confirmed and is ready to use." is displayed. The user must now use this TOTP token code to log in.
-
Inform users to use the IBM MFA Out-of-Band web server login page that you
configured, such as
where port is the server authentication port you configured and policy-name is the policy the user must use. You may want to have the user bookmark this URL.https://server:port/mfa/policy-name
-
When the user visits the IBM MFA Out-of-Band web login page,
user-specific information about the methods required for the user to log in is displayed.