Configure TOTP for users

You can use TOTP as an alternative to Generic TOTP. You configure TOTP for users to use that authentication method.

Before you begin

When a user enrolls a new TOTP account using the IBM® TouchToken for iOS application, sensitive data flows to the application running on the user's iOS device. HTTPS is used to protect that data, and the TLS configuration must be compatible with Application Transport Security policy as enforced by Apple iOS.

The z/OS® Communications Server Application Transparent Transport Layer Security (AT- TLS) provides full transport layer security for all communication between the Apple device and IBM MFA. AT-TLS frees IBM MFA from having to be aware of the TLS details.

This procedure assumes that you are using a public CA. It is strongly recommended that you use a certificate issued by a well-known certificate authority (CA). If you are not using a CA that is trusted by default by Apple iOS, ensure that all IBM TouchToken for iOS devices have a Configuration Profile installed that allows them to establish TLS connections with the web services server.
Important: If your web services server certificate was not issued by a well-known CA, do not instruct users to visit the web services server start page until they have a Configuration Profile installed that allows them to establish TLS connections with the web services server. If users accept the web services server certificate in Mobile Safari as an SSL exception, the IBM TouchToken for iOS application still cannot trust the CA that issued the certificate. Users will be able to view the enrollment launch URL, but will not be able to complete enrollment.

Procedure

  1. Make sure that the user's Apple iOS device has network connectivity to the web services server.
  2. Instruct users to install the IBM TouchToken for iOS application on their iOS device.
  3. Instruct users to open the web services server start page, using either Mobile Safari on their iOS device or a desktop browser:
    https://hostname:6789/AZFTOTP1/start
    The page explains some basic information about TOTP to the user, and contains both a QR code and a link that launch the IBM TouchToken for iOS application on the user's device.
  4. Instruct the user to launch the IBM TouchToken for iOS application on the Apple device. Note that after the TOTP account is set up on the Apple device, the REGSTATE changes to PROVISIONED and the factor state changes to ACTIVE.
  5. Instruct the user to tap the new TOTP account. You might want to have the user rename this account to remove any system-specific information.
  6. When prompted, the user must supply their Apple TouchID fingerprint.
    If successful, the TOTP token code is displayed.
  7. The user must now use this OTP token code to log on.