Version Affected: 9.2+
Description:
This guide will allow you to understand how OATH Seed and OATH Token Time-Based One Time Passcode (TOTP) values are generated using SecureAuth Authenticate, Google Authenticator, or Microsoft Authenticator. Since our OATH Enrollment Realm for TOTP is set to 60 seconds by default, this guide will discuss how to use both 30 Second and 60 Second intervals if desired.
For more information on what each Authenticator supports, we have an article on that as well.
From that article, SecureAuth Authenticate allows for Any time interval to be used. However, Google Authenticator and Microsoft Authenticator only allow for 30 Second time intervals.
Resolution:
In this example, the environment is already set for 60sec intervals using OATH Seed. Our goal would be to keep our already enrolled 60sec intervals in addition to new 30sec interval enrollments using OATH Token.
1. Set up an OATH Token realm to enroll users for 30sec intervals. It does not matter if it is QR or URL Enrollment. Make sure to map an attribute writable to OATH Token in the Data tab.
2. Map the same attribute to OATH Token on all of your authentication realms you wish to use 30sec intervals on.
3. Do Not change any of the Time-Based Passcode (OATH) settings in the Multi-Factor Methods tab on the realm. OATH Tokens do not rely on those settings to do a TOTP, but the OATH Seed does.
Note: If you wish to convert your OATH Seed values to OATH Token values, check the OATH Token attribute as writable on your authentication realms in Step 2. This will convert the 60sec interval OATH Seed to an OATH Token the next time the user attempts to login with TOTP based on the information on Step 3. If you are unsure what OATH Seeds versus OATH Tokens contain, here is an article explaining the differences.
Note 2: If your environment only contains OATH Tokens, you can just follow Step1 and create a new realm with a new interval. Since the OATH Tokens contain the intervals themselves, you can use both OATH Token intervals at the same time.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.