You can use the IBM® TouchToken for iOS application as an
alternative to Generic TOTP. You must prepare each user's Apple device for TOTP authentication.
About this task
This procedure assumes that you are using a public certificate authority (CA). It is
strongly recommended that you use a certificate issued by a well-known CA. If you are not using a
CA that is trusted by default by Apple iOS, ensure that all IBM TouchToken for iOS devices have a Configuration Profile installed that allows
the devices to establish TLS connections with the IBM MFA
server.
Important: If your IBM MFA server certificate
was not issued by a well-known CA, do not instruct users to visit the IBM MFA server start page until they have a Configuration Profile
installed that allows them to establish TLS connections with the IBM MFA server. If users accept the server certificate in Mobile
Safari as an SSL exception, the IBM TouchToken for iOS application still
cannot trust the CA that issued the certificate. Users will be able to view the enrollment launch
URL, but will not be able to complete the enrollment.
Procedure
-
Ensure that the user's Apple iOS device has network connectivity to the IBM MFA server.
-
Instruct users to install the IBM TouchToken for iOS application on
their iOS device.
-
Instruct users to open the IBM MFA server start
page, by using either Mobile Safari on their iOS device or a desktop browser. For example:
https://hostname:6793/AZFTOTP1/start
The page explains some basic information about TOTP to the user, and contains both a QR code and a link that launch
the IBM TouchToken for iOS application on the user's device.
-
Instruct the user to use either the QR code or the link to launch the IBM TouchToken for iOS application on the Apple device. Note that after the
TOTP account is set up on the Apple device, the
registration state changes to PROVISIONED and the state of the authentication
method changes to ACTIVE.
-
Instruct the user to tap the new TOTP account. You may
want to have the user rename this account to remove any system-specific information.
-
When prompted, the user must supply their Apple TouchID fingerprint.
If successful, the TOTP token code is displayed.
The user must now use this OTP token code to log in.
-
Inform users to use the IBM MFA Out-of-Band web server login page that you
configured, such as
https://server:port/mfa/policy-name
where
port is the server authentication port you configured and
policy-name is the policy the user must use. You may want to have the user
bookmark this URL.
-
When the user visits the IBM MFA Out-of-Band web login page,
user-specific information about the methods required for the user to log in is
displayed.