Configure TOTP for users

TOTP supports common Quick Response (QR) codes on both Android and Apple iOS devices.

Before you begin

Note: Not all TOTP client applications support all combinations of token length, period, or digest algorithm. In addition, not all TOTP applications display errors when importing combinations of TOTP parameters that the application does not support. IBM recommends that you confirm that a specific combination of token length, period, and digest algorithm is compatible with a specific TOTP application prior to rolling out AZFTOTP1 in production environments.


  1. Instruct the user to open the TOTP start page in a desktop web browser and log in with their z/OS® user name and password:
    A page that contains the AuthURL and the encoded QR code is displayed.
  2. Instruct the user to point their device at the generated QR code and scan it with an application such as IBM® Verify, Google Authenticator, Duo Mobile, and so forth.
    The application displays the TOTP code.
  3. Instruct the user to enter the TOTP code on the web page and click Generic TOTP Enrollment.
  4. If an error occurs, the user is prompted to retry enrollment. In this case, for the greatest compatibility with QR applications, first set the following tag values:
    • ALG SHA1
    • PERIOD 30
    Instruct the user to click Retry enrollment.
  5. If the enrollment is successful, the message "New TOTP token has been confirmed and is ready to use." is displayed.
  6. The user must now use this TOTP token code to log on to their z/OS application.