Time-based Passcodes (OATH) Registration Method for Multi-Factor Authentication
Introduction
Use this guide to enable the use of Time-based Passcodes (OATH OTPs) as a Registration Method for Multi-Factor Authentication.
OATH OTPs are generated on the SecureAuth Mobile Apps, Desktop Client Applications, and Chrome Browser Extension; and can be utilized in any realm requiring Multi-Factor Authentication to access the post-authentication action. Depending on how the Multi-Factor App Enrollment realm is configured and on the application(s) being used to generate OATH OTPs, SecureAuth IdP can create OATH Tokens or OATH Seeds.
If OATH Tokens are being used, SecureAuth IdP enables one-touch revocation of OATH Tokens to ensure security even if an OTP application is compromised. Refer to the Account Management (Help Desk) Realm Configuration Steps and Self-service Account Update Realm Configuration Steps below to learn how to configure the Help Desk and Self-services realms to enable administrator or self-revocation of OATH Tokens; and refer to the End-user Experience section below to learn how to revoke OATH Tokens on the client-side pages.
Prerequisites
1. Configure the Multi-Factor App Enrollment Realm
2. Provision end-users' devices / browsers to generate Time-based Passcodes:
SecureAuth Authenticate App for Android and iOS (OATH Token and OATH Seed support)
Windows Desktop Passcode Application (OATH Token and OATH Seed support)
Mac Desktop Passcode Application (OATH Token and OATH Seed support)
3. Create a New Realm in the SecureAuth IdP Web Admin or access existing realm(s) for which OATH OTPs are to be used for Multi-Factor Authentication
4. Configure the following tabs in the Web Admin before configuring for OATH OTPs:
Overview – the description of the realm and SMTP connections must be defined
Data – an enterprise directory must be integrated with SecureAuth IdP
Workflow – the way in which users will access the target must be defined
Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access the target (if any) must be defined (for Account Management Realm and Self-service Account Update Realm only)
Post Authentication – the target of the realm must be defined (for Realm Using OATH as Second Factor only)
Follow the Configuration Steps for the Specified Realm Type
Data
Note
The following Data tab steps are for LDAP directories only
If using a different directory (SQL, ASPNET, Oracle etc.), then the Properties need to be mapped to the data store via stored procedures (step 2)
 |
1. In the Membership Connection Settings section, note the Search Attribute directory field, e.g. sAMAccountName
Notice
The Search Attribute directory field must be the same in all realms utilizing Time-based Passcodes for Multi-Factor Authentication, IdM pages in which directory access to the directory fields are required, and the Multi-Factor App Enrollment Realm.
Profile Fields
 |
2. Map the necessary Properties to data store fields and check Writable:
The OATH Seed Property is required if OATH Seed (Single) is selected as the provisioning method on the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary
Map the OATH Seed Property to a directory field that fulfills the following requirements:
Directory String (syntax: 2.5.5.12)
Upper Range of at least 4096
Supports Advanced Encryption, as selected from the Data Format options
For Active Directory data stores, the postalAddress field can be used
The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary
The One Time OATH List feature temporarily stores a Time-based Passcode in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity
Map the One Time OATH List Property to any directory field that is a Directory String
For Active Directory data stores, the wWWHomePage field (among many others) can be used
The OATH Tokens Property is required if OATH Token (Multi) is selected as the provisioning method on the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary
The OATH Tokens Property can be stored as Plain Binary, JSON, or JSON Encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection
For Plain Binary, map the OATH Tokens Property to a directory field that fulfills the following requirements:
Octet String (syntax: 2.5.5.10)
Multi-valued
Upper Range of at least 4096
For JSON or JSON Encrypted, map the OATH Tokens Property to a directory field that fulfills the following requirements:
DirectoryString (syntax: 2.5.5.12)
Multi-valued
Upper Range of at least 4096
For typical Active Directory integrations, the Data Format is Plain Binary and the registeredAddress field is used
Warning
NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported for the OATH Tokens Property (configured in the Data tab); and for ODBC data stores, theOATH Tokens Propertyis not supported
Notice
Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for the full list of requirements
Warning
Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes
Multi-Factor Methods
 |
3. In the Multi-Factor Configuration section, under Time-based Passcodes (OATH), select Enabled from the Time-based Passcodes dropdown
4. Select the number of digits of which the OATH OTPs are comprised from the Passcode Length dropdown
5. Set the Passcode Change Interval to the number of seconds the OATH OTP displays and for how long the code is valid
6. Set the Passcode Offset to make up for time differences between devices and to enable prolonged validity after the code is no longer displayed
7. Set the Cache Lockout Duration to the number of minutes the OATH Service is unusable after multiple failed login attempts
Warning
** Be sure that the Passcode Length and Passcode Change Interval are the same in the realm(s) using OATH as a registration method and in the Multi-Factor App Enrollment Realm
Warning
Click Save once the configurations have been completed and before leaving the Multi-Factor Methods page to avoid losing changes
Data
Note
The following Data tab steps are for LDAP directories only
If using a different directory (SQL, ASPNET, Oracle etc.), then the Properties need to be mapped to the data store via stored procedures (step 2)
|
1. In the Membership Connection Settings section, note the Search Attribute directory field, e.g. sAMAccountName
Notice
The Search Attribute directory field must be the same in all realms utilizing Time-based Passcodes for Multi-Factor Authentication, IdM pages in which directory access to the directory fields are required, and the Multi-Factor App Enrollment Realm.
Profile Fields
|
2. Map the necessary Properties to data store fields and check Writable:
The OATH Seed Property is required if OATH Seed (Single) is selected as the provisioning method on the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary
Map the OATH Seed Property to a directory field that fulfills the following requirements:
Directory String (syntax: 2.5.5.12)
Upper Range of at least 4096
Supports Advanced Encryption, as selected from the Data Format options
For Active Directory data stores, the postalAddress field can be used
The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary
The One Time OATH List feature temporarily stores a Time-based Passcode in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity
Map the One Time OATH List Property to any directory field that is a Directory String
For Active Directory data stores, the wWWHomePage field (among many others) can be used
The OATH Tokens Property is required if OATH Token (Multi) is selected as the provisioning method on the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary
The OATH Tokens Property can be stored as Plain Binary, JSON, or JSON Encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection
For Plain Binary, map the OATH Tokens Property to a directory field that fulfills the following requirements:
Octet String (syntax: 2.5.5.10)
Multi-valued
Upper Range of at least 4096
For JSON or JSON Encrypted, map the OATH Tokens Property to a directory field that fulfills the following requirements:
DirectoryString (syntax: 2.5.5.12)
Multi-valued
Upper Range of at least 4096
For typical Active Directory integrations, the Data Format is Plain Binary and the registeredAddress field is used
Warning
NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported for the OATH Tokens Property (configured in the Data tab); and for ODBC data stores, the OATH Tokens Property is not supported
Notice
Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for the full list of requirements
Warning
Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes
Post Authentication
 |
3. In the Post Authentication section, select Account Management from the Authenticated User Redirect dropdown
4. An unalterable URL will be auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/ManageAccounts.aspx)
Warning
Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes
Identity Management
 |
5. Click Configure help desk page
Help Desk
 |
6. Select Show Disabled from the OATH Seed dropdown to display the OATH Seed on the client-side page
Notice
SecureAuth recommends selecting Hide from the OATH Seed dropdown as it is insecure to display the seed value; however, displaying the value is sometimes needed for provisioning purposes
7. Select Show Enabled from the OATH OTP Devices dropdown to enable administrative revocation of OATH Tokens on provisioned devices
Warning
Click Save once the configurations have been completed and before leaving the Help Desk page to avoid losing changes
Notice
Refer to Account Management page configuration for the full configuration steps
Data
Note
The following Data tab steps are for LDAP directories only
If using a different directory (SQL, ASPNET, Oracle etc.), then the Properties need to be mapped to the data store via stored procedures (step 2)
|
1. In the Membership Connection Settings section, note the Search Attribute directory field, e.g. sAMAccountName
Notice
The Search Attribute directory field must be the same in all realms utilizing Time-based Passcodes for Multi-Factor Authentication, IdM pages in which directory access to the directory fields are required, and the Multi-Factor App Enrollment Realm.
Profile Fields
|
2. Map the necessary Properties to data store fields and check Writable:
The OATH Seed Property is required if OATH Seed (Single) is selected as the provisioning method on the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary
Map the OATH Seed Property to a directory field that fulfills the following requirements:
Directory String (syntax: 2.5.5.12)
Upper Range of at least 4096
Supports Advanced Encryption, as selected from the Data Format options
For Active Directory data stores, the postalAddress field can be used
The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary
The One Time OATH List feature temporarily stores a Time-based Passcode in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity
Map the One Time OATH List Property to any directory field that is a Directory String
For Active Directory data stores, the wWWHomePage field (among many others) can be used
The OATH Tokens Property is required if OATH Token (Multi) is selected as the provisioning method on the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary
The OATH Tokens Property can be stored as Plain Binary, JSON, or JSON Encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection
For Plain Binary, map the OATH Tokens Property to a directory field that fulfills the following requirements:
Octet String (syntax: 2.5.5.10)
Multi-valued
Upper Range of at least 4096
For JSON or JSON Encrypted, map the OATH Tokens Property to a directory field that fulfills the following requirements:
DirectoryString (syntax: 2.5.5.12)
Multi-valued
Upper Range of at least 4096
For typical Active Directory integrations, the Data Format is Plain Binary and the registeredAddress field is used
Warning
NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported for the OATH Tokens Property (configured on the Data tab); and for ODBC data stores, the OATH Tokens Property is not supported
Notice
Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for the full list of requirements
Warning
Click Save once the configurations have been completed an before leaving the Data page to avoid losing changes
Post Authentication
 |
3. In the Post Authentication section, select Self Service Account Update from the Authenticated User Redirect dropdown
4. An unalterable URL will be auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/AccountUpdate.aspx)
Warning
Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes
Identity Management
 |
5. Click Configure self service page
Self-service
 |
6. Select Show Disabled from the OATH Seed dropdown to display the OATH Seed on the client-side page
Notice
SecureAuth recommends selecting Hide from the OATH Seed dropdown as it is insecure to display the seed value; however, displaying the value is sometimes needed for provisioning purposes
7. Select Show Enabled from the OATH OTP Devices dropdown to enable administrative revocation of OATH Tokens on provisioned devices
Warning
Click Save once the configurations have been completed and before leaving the Self Service page to avoid losing changes
Notice
Refer to Self-service Account Update page configuration for the full configuration steps
End-user Experience
Notice
When the end-user is presented the page of Multi-Factor Authentication methods from which to choose, the Multi-Factor Authentication method that was last selected and used in a successful login attempt persists as the default method for the next login in each device / browser
Realm Using OATH as Second Factor
 |
1. When logging on a SecureAuth IdP realm in which OATH OTP is enabled, the Time-based Passcode choice(s) appears in the Multi-Factor Authentication methods list
2. Select Time-based Passcode and click Submit
Notice
If the device is provisioned on a Single (OATH Seed) Multi-Factor App Enrollment realm, then select Time-based Passcode - SecureAuth OTP Mobile App; if the device is provisioned on a Multi (OATH Token) SecureAuth App Enrollment realm, then select the appropriate app, e.g. Time-based Passcode - iPhone
 |
 |
3. Open the SecureAuth App being used (SecureAuth Authenticate App for Android and iOS shown in the example) and copy the OATH OTP
4. Paste or enter the OATH OTP into the web page, and click Submit
Account Management (Help Desk) Realm
 |
1. Once authenticated to the Account Management Help Desk Page, enter the username of the end-user whose OATH OTP Devices are to be revoked
2. Uncheck the undesired devices listed, or select Reset OTP Devices
3. Click Update and the changes are saved
Self-service Account Update Realm
 |
1. Once authenticated to the Self-service Account Update Page, scroll to the bottom and uncheck the undesired devices listed
2. Click Update and the changes are saved