TOTP Integration

Time-based one time password (TOTP) are used as a second-factor authentication method to supplement an initial PIN/password authentication.

TOTP relies on a shared secret which is known to both the server and the client. The authentication code is generated based on the secret and the current time being processed using a specified hashing algorithm. The current time is divided into periods called time steps which defines for how long an authentication code is valid - during each time step the secret generates a particular code.

TOTP Registration

An end-user completes TOTP registration by following a two step process:

1. A QR code is generated in the TrustWeb application which is scanned and stored in their authentication application.
2. An initial authentication is completed by the end-user to prove that they have registered the QR code and it is compatible with their authenticator application.

TrustX integrators will be required to configure a Custom Data Form that provides the end-user with the QR code to be scanned before executing the TOTP registration activity. This activity will also perform an initial authentication. As such, it is required that the Custom Data Form also contains a field for text input that can accept the TOTP password generated by the end-user's authentication application.

For information on configuring a TOTP registration flow, see the TOTP Registration guide.

TOTP Authentication

A TOTP Authentication involves validating the authentication code from a device against a policy for an Identity Store User. This is is similar to the process of completing a registration but requires an active TOTP registration first.

If an authentication fails then the User lock count is incremented. If the User is locked they cannot authenticate.

See the TOTP Authentication guide for information on configuring a standard authentication flow.

Guides

• TOTP Policy - Create a TOTP policy that is required before starting the registration process.
• TOTP Registration - Configure a standard TOTP registration process.
• TOTP Authentication - Configure a TOTP authentication process. An active TOTP registration is required before authentication can be completed.
• Get Current TOTP Registration - Retrieve the current TOTP registered to a User.
• Deregister TOTP - Deregister TOTP from an end-user's device.

Further Reading

• Managing Identity Stores - Provides information on managing Identity Stores which contain a collection of Users.
• Managing Users - Details how to manage Users stored within the Identity Store.