OTP (One-Time Passwords)

If your token supports the one-time password (OTP One-Time Password. A password that is valid for only one login session or transaction, used to provide an additional layer of security.) generation function, you can access it from the OTP section in the left navigation pane.

The One-Time Passwords view

Additionally, the OTP section allows you to configure button press actions for Crescendo Keys.

Configuring One-Time Passwords

OTP Configuration Using QR Code

If you have a one-time password configuration QR code available, displayed on your screen, follow these steps to configure your OTP:

  1. Go to OTP in the left navigation pane and click the Configure button in the top-right corner of the screen.

    The One-Time Passwords view

  2. Click the button with the QR code icon in the top-right corner of the dialog to launch the snipping tool.

    The One-Time Password Configuration dialog with the QR code icon highlighted.

  3. Capture the QR code into the clipboard using the snipping tool.

    Note: If you already have a QR code captured in your clipboard, this action will use the content of the clipboard without activating the snipping tool.

  4. Crescendo Manager will automatically read the captured QR code and fill in the necessary details for you.

  5. For Crescendo 4000 family tokens, click the ClosedAccess Control Configuration dropdown to select the default access control behavior for your token when generating OTPs in contact and contactless modes.

    Access Control Configuration dropdown.

    • Always: No authentication is required for OTP generation.

    • Never: OTP generation is not allowed.

    • PIN: Authentication with PIN is required for OTP generation.

    • PIN and Touch: Both PIN entry and a button press on the token are required for OTP generation.

  6. Click Submit to finalize the OTP configuration.

  7. The configured OTP will appear as a new tile in the OTP view. To display the configuration details, hover over the information icon in the top-right corner of the tile.

Manual OTP Configuration

To configure your OTP manually:

  1. Go to OTP in the left navigation pane and click the Configure button in the top-right corner of the screen.

    The One-Time Passwords view

  2. Select the OTP type:

    One-Time Password Configuration dialog with the OTP Type dropdown highlighted.

    • HMAC-Based One-Time Password (HOTP): Generates a password based on a cryptographic hash function and a counter that increments each time a new OTP is generated. The password remains valid until it is used.

    • Time-Based One-Time Password (TOTP): Generates a password based on the current time and valid only for a short window of time.

    • OATH Challenge-Response: Generates a response based on a challenge sent by an authentication server, using the configured parameters.

  1. Enter a friendly name for your HOTP. UTF-8 characters and emojis are allowed.

  2. Select the algorithm for generating the HOTP from the secret. The available algorithms are SHA-1, SHA-256, and SHA-512.

  3. Select the encoding of the HOTP secret. The available encoding methods are Base32, Base64, Hexadecimal, and SKI Secure Key Injection is a FIPS certification-compliant protocol that ensures data protection when importing private keys, OTP secrets, and management keys. Wrapped. Default values are selected as SHA-1 and Base32.

    Tip! To learn more about SKI secret wrapping, see SKI Wrapper.

  4. Enter the HOTP secret key or click the Generate button to generate one.

  5. Select the number of digits for the OTP: six, eight, or ten digits. The default value is six digits.

  6. For Crescendo 4000 family tokens, click the ClosedAccess Control Configuration dropdown to select the default access control behavior for your token when generating OTPs in contact and contactless modes.

    Access Control Configuration dropdown.

    • Always: No authentication is required for OTP generation.

    • Never: OTP generation is not allowed.

    • PIN: Authentication with PIN is required for OTP generation.

    • PIN and Touch: Both PIN entry and a button press on the token are required for OTP generation.

  7. Use the toggle to choose whether to create a PSKC file Files used to securely transport and provision symmetric keys to cryptographic devices or software, following the Portable Symmetric Key Container (PSKC) format.. (The default selection can be set in Settings.)

  8. If creating a PSKC file, enter the PSKC transport key or use the pre-defined key, which you can set in Settings.

  9. Click Submit to finalize the OTP configuration.

A new tile representing the HOTP slot will be created in the OTP view, and if selected, a PSKC file will be generated in the directory specified in Settings.

  • To display the configuration details, hover over the information icon in the top-right corner of the tile.

  • To remove the configured password, click the trash bin icon .

One-Time Password tile with the Info icon and the trash bin icon highlighted.

  1. Enter a friendly name for your TOTP. UTF-8 characters and emojis are allowed.

  2. Select the algorithm for generating the TOTP from the secret. The available algorithms are SHA-1, SHA-256, and SHA-512.

  3. Select the encoding of the TOTP secret. The available encoding methods are Base32, Base64, Hexadecimal, and SKI Secure Key Injection is a FIPS certification-compliant protocol that ensures data protection when importing private keys, OTP secrets, and management keys. Wrapped. Default values are selected as SHA-1 and Base32.

    Tip! To learn more about SKI secret wrapping, see SKI Wrapper.

  4. Enter the OTP secret key or click the Generate button to generate one.

  5. Select the number of digits for the OTP: six, eight, or ten digits. The default value is six digits

  6. Set the validity time window in seconds. The maximum allowed time interval is 60 seconds.

  7. For Crescendo 4000 family tokens, click the ClosedAccess Control Configuration dropdown to select the default access control behavior for your token when generating OTPs in contact and contactless modes.

    Access Control Configuration dropdown.

    • Always: No authentication is required for OTP generation.

    • Never: OTP generation is not allowed.

    • PIN: Authentication with PIN is required for OTP generation.

    • PIN and Touch: Both PIN entry and a button press on the token are required for OTP generation.

  8. Use the toggle to choose whether to create a PSKC file Files used to securely transport and provision symmetric keys to cryptographic devices or software, following the Portable Symmetric Key Container (PSKC) format.. (The default selection can be set in Settings.)

  9. If creating a PSKC file, enter the PSKC transport key or use the pre-defined key, which you can set in Settings.

  10. Click Submit to finalize the OTP configuration.

 

A new tile representing the TOTP slot will be created in the OTP view, and if selected, a PSKC file will be generated in the directory specified in Settings.

  • To display the configuration details, hover over the information icon in the top-right corner of the tile.

  • To remove the configured password, click the trash bin icon .

One-Time Password tile with the Info icon and the trash bin icon highlighted.

  1. Enter a friendly name for your OATH Challenge-Response OTP. UTF-8 characters and emojis are allowed.

  2. You can set the OTP parameters manually in the OCRA Suite A configuration string used in OATH Challenge-Response Authentication (OCRA) that defines the parameters for generating one-time passwords. field or select the parameters in the dialog. The field will update accordingly.

  3. Select the algorithm for generating the OTP from the secret. The available algorithms are SHA-1, SHA-256, and SHA-512.

  4. Select the encoding of the OTP secret. The available encoding methods are Base32, Base64, Hexadecimal, and SKI Secure Key Injection is a FIPS certification-compliant protocol that ensures data protection when importing private keys, OTP secrets, and management keys. Wrapped. Default values are selected as SHA-1 and Base32.

    Tip! To learn more about SKI secret wrapping, see SKI Wrapper.

  5. Enter the OTP secret key or click the Generate button to generate one.

  6. Select whether the OTP should be six, eight or ten digits. The default value is set to six digits.

  7. Click the Use Time toggle to include the current time as a factor in generating the OTP.

    • Set the validity time window in seconds, minutes or hours. The maximum allowed time interval is 48 hours.

  8. Click the Use Counter toggle to include a counter as a factor that increments each time a new OTP is generated.

  9. Click the Use Password drop-down to include a SHA-1, SHA-256 or SHA-512 hashed password in the OTP generation.

  10. Click the Use Session Information drop-down to include 64-, 128-, 256-, or 512-byte session information in the OTP generation.

  11. In the Question (Challenge) Format drop-down, select whether the challenge should be alphanumeric, numeric, or hexadecimal.

  12. In the Max Question Length field, enter the limit for the challenge length. The maximum allowed value is 64.

  13. For Crescendo 4000 family tokens, click the ClosedAccess Control Configuration dropdown to select the default access control behavior for your token when generating OTPs in contact and contactless modes.

    Access Control Configuration dropdown.

    • Always: No authentication is required for OTP generation.

    • Never: OTP generation is not allowed.

    • PIN: Authentication with PIN is required for OTP generation.

    • PIN and Touch: Both PIN entry and a button press on the token are required for OTP generation.

  14. Use the toggle to choose whether to create a PSKC file Files used to securely transport and provision symmetric keys to cryptographic devices or software, following the Portable Symmetric Key Container (PSKC) format.. (The default selection can be set in Settings.)

  15. If creating a PSKC file, enter the PSKC transport key or use the pre-defined key, which you can set in Settings.

  16. Click Submit to finalize the OTP configuration.

 

A new tile representing the challenge-response OTP slot will be created in the OTP view, and if selected, a PSKC file will be generated in the directory specified in Settings.

  • To display the configuration details, hover over the information icon in the top-right corner of the tile.

  • To remove the configured password, click the trash bin icon .

One-Time Password tile with the Info icon and the trash bin icon highlighted.

Generating OTPs

Once you have configured an OTP, you can generate it by clicking on the respective slot in the OTP view.

  • A generated HOTP or TOTP will automatically be copied into your clipboard.

  • For an OCRA OTP, you will be prompted to provide a challenge. A password and session data may also be required, if configured.

Viewing OTP Details

To view the OTP details, hover over the information icon in the top-right corner of the OTP tile.

One-Time Password tile with the information icon highlighted and details displayed.

The configuration details will appear in a pop-up.

Deleting Configured OTPs

To delete a configured OTP, click the trash bin icon Trash Bin Iconin the bottom-right corner of the OTP tile in the OTP view.

A dialog will open prompting you to confirm the deletion.

Configuring Button Press Actions for Crescendo Keys

The OTP section allows you to configure the actions triggered by single or double button presses on your Crescendo Key, depending on the key type. Available options vary by token type and may not be supported by your token.

One-Time Password view with the single and double press action sections highlighted.

To configure the single or double press action:

  1. Go to OTP in the left navigation pane and click the plus button next to the selected available action.

  2. The Token Single/Double Press Configuration dialog will open.

  3. Depending on your key type, select the desired Button Press Action from the available options:

  4. Configure your HOTP or Closedstatic password.

    Token Double Press Configuration dialog with Static password selected.

    1. Enter a friendly name for your static password. UTF-8 characters and emojis are allowed.

    2. Manually type the static password into the Static Password field, pressing the keys within the illustrated area. Shift and Alt combinations are allowed for additional character options.

    Note:

    Crescendo Manager records the key-press sequence, not the characters themselves. As a result, if the keyboard layout changes (e.g., when using a different input method), pressing the button on your Crescendo Key may produce a different combination of characters. Ensure that the keyboard layout remains consistent when entering passwords using the press button action.

  5. The newly configured password appears in the OTP interface.

  • To display the configuration details, hover over the information icon.

  • To remove the configured password, click the trash bin icon .

Inserting Static Passwords and HOTPs With Your Crescendo Key

If you have configured single or double press actions for your Crescendo Key, you can use them to insert or generate and insert the configured passwords.

To insert your static password or generate and insert an HOTP with your Crescendo Key:

  1. Place your cursor where you want to insert the password.

  2. Press or double-press the button on your Crescendo Key.

  3. The HOTP or static password will be inserted.