Documentation

Introduction

Use this guide to enable the use of Time-based Passcodes (OATH OTPs) as a Registration Method for Multi-Factor Authentication.

OATH OTPs are generated on the SecureAuth Mobile Apps, Desktop Client Applications, and Chrome Browser Extension; and can be utilized in any realm requiring 2-Factor Authentication to access the post-authentication action. Depending on how the SecureAuth App Enrollment realm is configured and on the application(s) being used to generate OATH OTPs, SecureAuth IdP can create OATH Tokens or OATH Seeds.

If OATH Tokens are being used, SecureAuth IdP enables one-touch revocation of OATH Tokens to ensure security even if an OTP application is compromised. Refer to the Account Management (Help Desk) Realm Configuration Steps and Self-service Account Update Realm Configuration Steps below to learn how to configure the Help Desk and Self-services realms to enable administrator or self-revocation of OATH Tokens; and refer to the End-user Experience section below to learn how to revoke OATH Tokens on the client-side pages.

Prerequisites

1. Configure the SecureAuth App Enrollment Realm

2. Provision end-users' devices / browsers to generate Time-based Passcodes:

3. Create a New Realm in the SecureAuth IdP Web Admin or access existing realm(s) for which OATH OTPs are to be used for 2-Factor Authentication

4. Configure the following tabs in the Web Admin before configuring for OATH OTPs:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access the target must be defined
  • Registration Methods / Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access the target (if any) must be defined (for Account Management Realm and Self-service Account Update Realm only)
  • Post Authentication – the target of the realm must be defined (for Realm Using OATH as Second Factor only)

The Registration Methods tab in SecureAuth IdP Version 9.0 has been renamed Multi-Factor Methods as of Version 9.0.1

For the SecureAuth IdP 8.2 version of this document, see Time-based Passcodes (OATH) Registration Method for 2-Factor Authentication

Realm Using Time-based Passcodes as Second Factor Configuration Steps
Data

The following Data tab steps are for LDAP directories only

If using a different directory (SQL, ASPNET, Oracle etc.), then the Properties need to be mapped to the data store via stored procedures (step 2)

 

1. In the Membership Connection Settings section, note the Search Attribute directory field, e.g. sAMAccountName

The Search Attribute directory field must be the same in all realms utilizing Time-based Passcodes for Multi-Factor Authentication, IdM pages in which directory access to the directory fields are required, and the Multi-Factor App Enrollment Realm

Profile Fields

2. Map the necessary Properties to data store fields and check Writable:

The OATH Seed Property is required if OATH Seed (Single) is selected as the provisioning method in the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary

Map the OATH Seed Property to a directory field that fulfills the following requirements:

    • Directory String (syntax: 2.5.5.12)
    • Upper Range of at least 4096
    • Supports Advanced Encryption, as selected from the Data Format options

For Active Directory data stores, the postalAddress field can be used

The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary

The One Time OATH List feature temporarily stores a Time-based Passcode in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity

Map the One Time OATH List Property to any directory field that is a Directory String

For Active Directory data stores, the wWWHomePage field (among many others) can be used

The OATH Tokens Property is required if OATH Token (Multi) is selected as the provisioning method in the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary

The OATH Tokens Property can be stored as Plain Binary, JSON, or JSON Encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • Octet String (syntax: 2.5.5.10)
      • Multi-valued
      • Upper Range of at least 4096

For JSON or JSON Encrypted, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • DirectoryString (syntax: 2.5.5.12)
      • Multi-valued
      • Upper Range of at least 4096

For typical Active Directory integrations, the Data Format is Plain Binary and the registeredAddress field is used

NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported for the OATH Tokens Property (configured in the Data tab); and for ODBC data stores, the OATH Tokens Property is not supported

Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for the full list of requirements

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Registration Methods / Multi-Factor Methods

 

3. In the Registration Configuration section, under Time-based Passcodes (OATH), select Enabled from the Time-based Passcodes dropdown

4. Select the number of digits of which the OATH OTPs are comprised from the Passcode Length dropdown

5. Set the Passcode Change Interval to the number of seconds the OATH OTP displays and for how long the code is valid

6. Set the Passcode Offset to make up for time differences between devices and to enable prolonged validity after the code is no longer displayed

7. Set the Cache Lockout Duration to the number of minutes the OATH Service is unusable after multiple failed login attempts

**Be sure that the Passcode Length and Passcode Change Interval are the same in the realm(s) using OATH as a registration method and in the SecureAuth App Enrollment Realm
 

 SecureAuth App Enrollment Realm Example Image

Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes

Account Management (Help Desk) Realm Configuration Steps
Data

The following Data tab steps are for LDAP directories only

If using a different directory (SQL, ASPNET, Oracle etc.), then the Properties need to be mapped to the data store via stored procedures (step 2)

 

1. In the Membership Connection Settings section, note the Search Attribute directory field, e.g. sAMAccountName

The Search Attribute directory field must be the same in all realms utilizing Time-based Passcodes for Multi-Factor Authentication, IdM pages in which directory access to the directory fields are required, and the Multi-Factor App Enrollment Realm

Profile Fields

2. Map the necessary Properties to data store fields and check Writable:

The OATH Seed Property is required if OATH Seed (Single) is selected as the provisioning method in the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary

Map the OATH Seed Property to a directory field that fulfills the following requirements:

    • Directory String (syntax: 2.5.5.12)
    • Upper Range of at least 4096
    • Supports Advanced Encryption, as selected from the Data Format options

For Active Directory data stores, the postalAddress field can be used

The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary

The One Time OATH List feature temporarily stores a Time-based Passcode in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity

Map the One Time OATH List Property to any directory field that is a Directory String

For Active Directory data stores, the wWWHomePage field (among many others) can be used

The OATH Tokens Property is required if OATH Token (Multi) is selected as the provisioning method in the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary

The OATH Tokens Property can be stored as Plain Binary, JSON, or JSON Encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • Octet String (syntax: 2.5.5.10)
      • Multi-valued
      • Upper Range of at least 4096

For JSON or JSON Encrypted, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • DirectoryString (syntax: 2.5.5.12)
      • Multi-valued
      • Upper Range of at least 4096

For typical Active Directory integrations, the Data Format is Plain Binary and the registeredAddress field is used

NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported for the OATH Tokens Property (configured in the Data tab); and for ODBC data stores, the OATH Tokens Property is not supported

Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for the full list of requirements

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication

 

3. In the Post Authentication section, select Account Management from the Authenticated User Redirect dropdown

4. An unalterable URL will be auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/ManageAccounts.aspx)

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Identity Management

 

5. Click Configure help desk page

Help Desk

 

6. Select Show Disabled from the OATH Seed dropdown to display the OATH Seed on the client-side page

SecureAuth recommends selecting Hide from the OATH Seed dropdown as it is insecure to display the seed value; however, displaying the value is sometimes needed for provisioning purposes

7. Select Show Enabled from the OATH OTP Devices dropdown to enable administrative revocation of OATH Tokens on provisioned devices

Click Save once the configurations have been completed and before leaving the Help Desk page to avoid losing changes

Refer to Account Management (Help Desk) Page Configuration Guide for the full configuration steps

Self-service Account Update Realm Configuration Steps
Data

The following Data tab steps are for LDAP directories only

If using a different directory (SQL, ASPNET, Oracle etc.), then the Properties need to be mapped to the data store via stored procedures (step 2)

 

1. In the Membership Connection Settings section, note the Search Attribute directory field, e.g. sAMAccountName

The Search Attribute directory field must be the same in all realms utilizing Time-based Passcodes for Multi-Factor Authentication, IdM pages in which directory access to the directory fields are required, and the Multi-Factor App Enrollment Realm

Profile Fields

2. Map the necessary Properties to data store fields and check Writable:

The OATH Seed Property is required if OATH Seed (Single) is selected as the provisioning method in the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary

Map the OATH Seed Property to a directory field that fulfills the following requirements:

    • Directory String (syntax: 2.5.5.12)
    • Upper Range of at least 4096
    • Supports Advanced Encryption, as selected from the Data Format options

For Active Directory data stores, the postalAddress field can be used

The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary

The One Time OATH List feature temporarily stores a Time-based Passcode in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity

Map the One Time OATH List Property to any directory field that is a Directory String

For Active Directory data stores, the wWWHomePage field (among many others) can be used

The OATH Tokens Property is required if OATH Token (Multi) is selected as the provisioning method in the Multi-Factor App Enrollment Realm; otherwise, no mapping is necessary

The OATH Tokens Property can be stored as Plain Binary, JSON, or JSON Encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • Octet String (syntax: 2.5.5.10)
      • Multi-valued
      • Upper Range of at least 4096

For JSON or JSON Encrypted, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • DirectoryString (syntax: 2.5.5.12)
      • Multi-valued
      • Upper Range of at least 4096

For typical Active Directory integrations, the Data Format is Plain Binary and the registeredAddress field is used

NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported for the OATH Tokens Property (configured in the Data tab); and for ODBC data stores, the OATH Tokens Property is not supported

Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for the full list of requirements

Click Save once the configurations have been completed an before leaving the Data page to avoid losing changes

Post Authentication

 

3. In the Post Authentication section, select Self Service Account Update from the Authenticated User Redirect dropdown

4. An unalterable URL will be auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/AccountUpdate.aspx)

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Identity Management

 

5. Click Configure self service page

Self-service

 

6. Select Show Disabled from the OATH Seed dropdown to display the OATH Seed on the client-side page

SecureAuth recommends selecting Hide from the OATH Seed dropdown as it is insecure to display the seed value; however, displaying the value is sometimes needed for provisioning purposes

7. Select Show Enabled from the OATH OTP Devices dropdown to enable administrative revocation of OATH Tokens on provisioned devices

Click Save once the configurations have been completed and before leaving the Self Service page to avoid losing changes

Refer to Self-service Account Update Page Configuration Guide for the full configuration steps

End-user Experience

In SecureAuth IdP v9.0.2+, when the end-user is presented the page of Multi-Factor Authentication methods from which to choose, the Multi-Factor Authentication method that was last selected and used in a successful login attempt persists as the default method for the next login in each device / browser

Realm Using OATH as Second Factor

 

1. When logging into a SecureAuth IdP realm in which OATH OTP is enabled, the Time-based Passcode choice(s) appears in the 2-Factor Authentication methods list

2. Select Time-based Passcode and click Submit

If the device is provisioned on a Single (OATH Seed) SecureAuth App Enrollment realm, then select Time-based Passcode - SecureAuth OTP Mobile App; if the device is provisioned on a Multi (OATH Token) SecureAuth App Enrollment realm, then select the appropriate app, e.g. Time-based Passcode - iPhone

 

3. Open the SecureAuth App being used ( SecureAuth Authenticate App for iOS and Android shown in the example) and copy the OATH OTP

4. Paste or enter the OATH OTP into the web page, and click Submit

Account Management (Help Desk) Realm

 

1. Once authenticated to the Account Management Help Desk Page, enter the username of the end-user whose OATH OTP Devices are to be revoked

2. Uncheck the undesired devices listed, or select Reset OTP Devices

3. Click Update and the changes are saved

Self-service Account Update Realm

 

1. Once authenticated to the Self-service Account Update Page, scroll to the bottom and uncheck the undesired devices listed

2. Click Update and the changes are saved

  • No labels