Preparing user devices for IBM TouchToken for iOS authentication

You can use the IBM® TouchToken for iOS application as an alternative to Generic TOTP. You must prepare each user's Apple device for TOTP authentication.

About this task

This procedure assumes that you are using a public certificate authority (CA). It is strongly recommended that you use a certificate issued by a well-known CA. If you are not using a CA that is trusted by default by Apple iOS, ensure that all IBM TouchToken for iOS devices have a Configuration Profile installed that allows the devices to establish TLS connections with the IBM MFA server.
Important: If your IBM MFA server certificate was not issued by a well-known CA, do not instruct users to visit the IBM MFA server start page until they have a Configuration Profile installed that allows them to establish TLS connections with the IBM MFA server. If users accept the server certificate in Mobile Safari as an SSL exception, the IBM TouchToken for iOS application still cannot trust the CA that issued the certificate. Users will be able to view the enrollment launch URL, but will not be able to complete the enrollment.

Procedure

  1. Ensure that the user's Apple iOS device has network connectivity to the IBM MFA server.
  2. Instruct users to install the IBM TouchToken for iOS application on their iOS device.
  3. Instruct users to open the IBM MFA server start page, by using either Mobile Safari on their iOS device or a desktop browser. For example:
     https://hostname:6793/AZFTOTP1/start
    The page explains some basic information about TOTP to the user, and contains both a QR code and a link that launch the IBM TouchToken for iOS application on the user's device.
  4. Instruct the user to use either the QR code or the link to launch the IBM TouchToken for iOS application on the Apple device. Note that after the TOTP account is set up on the Apple device, the registration state changes to PROVISIONED and the state of the authentication method changes to ACTIVE.
  5. Instruct the user to tap the new TOTP account. You may want to have the user rename this account to remove any system-specific information.
  6. When prompted, the user must supply their Apple TouchID fingerprint.
    If successful, the TOTP token code is displayed. The user must now use this OTP token code to log in.
  7. Inform users to use the IBM MFA Out-of-Band web server login page that you configured, such as
    https://server:port/mfa/policy-name
    where port is the server authentication port you configured and policy-name is the policy the user must use. You may want to have the user bookmark this URL.
  8. When the user visits the IBM MFA Out-of-Band web login page,
    user-specific information about the methods required for the user to log in is displayed.