Custom TOTP authenticator
Using this method, admins can configure any TOTP authenticator for identity verification. ADSelfService Plus supports two types of TOTP tokens for authentication:
- Software TOTP token: Mobile or desktop applications that generate a time-based OTP based on the secret key provided by ADSelfService Plus during enrollment. These tokens can either be enrolled by the user through self-enrollment or by the admin through bulk enrollment.
- Hardware TOTP token: Hardware devices that generate a time-based OTP based on the secret key burned into the hardware device. These tokens can be enrolled only by the admin through bulk enrollment with the help of a seed file (file consisting of secret keys for the respective hardware devices provided by hardware vendors).
Steps to configure custom TOTP authenticators
- Navigate to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup.
- From the Choose the Policy drop-down, select a policy.
Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
- Click Custom TOTP Authenticator section.
- Enter the Authenticator Name, Passcode Length, Passcode Expiration Time, Passcode Hashing Algorithm, Account Name Format and upload the Authenticator Logo.
Note:If the Authenticator Logo is not uploaded, a default logo will be used.
- Choose either Software Token or Hardware Token based on the type of token you wish to configure.
- Click Save.
How to enroll for custom TOTP authenticators
- Software tokens can be enrolled either by the user through self-enrollment or by admins through bulk enrollment (importing data via a CSV file or by fetching data from an external database).
- You can enroll for hardware tokens using two methods:
Note: In case of using programmable tokens which allow the user to generate a secret key without admin intervention, it is recommended to configure custom TOTP authenticator as a software token.
To modify the configuration:
- Navigate to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup.
- Click Custom TOTP Authenticator section.
- Click Modify and change the information provided wherever necessary.
- If the configuration has to be removed, click Remove Configuration.
- Click Save.
Note:
- When the configuration is modified or removed, the user enrollment data for that configuration will be deleted as well. Please make sure the values provided in the CSV file or data fetcher are relevant to the new configuration in the enrollment scheduler or when importing data manually. For example, when changing the custom TOTP authenticator configuration from software token to hardware token, ensure to replace the software token secret key data with the hardware device secret key and add serial number in the CSV file. In case of database fetcher, modify the database query.
- When a user is shifted from one self-service policy to another and if both these policies do not have the same Custom TOTP Authenticator configuration, the user will be considered as not enrolled.