Configure TOTP for users
You can use TOTP as an alternative to Generic TOTP. You configure TOTP for users to use that authentication method.
Before you begin
When a user enrolls a new TOTP account using the IBM® TouchToken for iOS application, sensitive data flows to the application running on the user's iOS device. HTTPS is used to protect that data, and the TLS configuration must be compatible with Application Transport Security policy as enforced by Apple iOS.
The z/OS® Communications Server Application Transparent Transport Layer Security (AT- TLS) provides full transport layer security for all communication between the Apple device and IBM MFA. AT-TLS frees IBM MFA from having to be aware of the TLS details.
This procedure assumes that you are using a public CA. It is strongly recommended that you use a
certificate issued by a well-known certificate authority (CA). If you are not using a CA that is
trusted by default by Apple iOS, ensure that all IBM TouchToken for iOS
devices have a Configuration Profile installed that allows them to establish TLS connections with
the web services server.
Important: If your web services server certificate was not
issued by a well-known CA, do not instruct users to visit the web services server start page until
they have a Configuration Profile installed that allows them to establish TLS connections with the
web services server. If users accept the web services server certificate in Mobile Safari as an SSL
exception, the IBM TouchToken for iOS application still cannot trust the CA
that issued the certificate. Users will be able to view the enrollment launch URL, but will not be
able to complete enrollment.