One-Time Password Credentials

A One-Time Password (OTP) credential uses an automatically generated time-sensitive numeric code for authentication.

The OTP credential can be used for authentication at Microsoft Windows logon and within a Windows session as defined by the Logon or Session Policy in force, as well as for DigitalPersona Password Manager trained applications, websites or network resources and SAML-compliant portals such as Microsoft Office 365.

It also can be used for authentication to the DigitalPersona Identity Server, providing access to the DigitalPersona Administration Console, and HID DigitalPersona Enrollment, as well as for verifying your identity within HID DigitalPersona Enrollment when enrolling or managing credentials.

A QR Code scanner app on your device will greatly simplify the enrollment process for the software-based tokens, by automating the entry of required account information, although is not required as manual entry of the information is also possible.

The verification code may be generated in one of the following ways:

  • Authenticator app - a software token is generated by a special authenticator app on a user’s mobile device, and the resulting time-sensitive code is used for authentication.

  • OTP Push Notification - a software token is generated by DigitalPersona and sent to a mobile device where the user can Accept or Deny its use for authentication. This features is only available through the DigitalPersona authentication app. Although generation of the OTP is supported in third party authentication apps, Push Notification is only available through the DigitalPersona app.

  • OTP via SMS - a software token is generated by DigitalPersona, and a time-sensitive code that can be used for authentication is sent to a mobile device through SMS.

  • Hardware token - a dedicated hardware device generates a time-sensitive code used for authentication. The hardware token must be an OATH-compliant TOTP (Time-based One-Time Password) device.

  • OTP via email - (For AD Users only) if enabled by the administrator, the option to have a One-Time Password sent to the user’s email address is automatically available (enrolled) upon completing the enrollment of any of the other types of OTP credentials described above.

    Note: To authenticate using OTP via SMS or OTP via email, the user’s workstation must be able to connect to the DigitalPersona LDS Server, either within the network, through a VPN or using the VPN-less (web proxy) feature which is enabled through the Allow VPN-less access GPO setting.

Enrolling an OTP Credential

The steps in the enrollment of an OTP credential differ slightly based on the type of OTP credential described above.

Authenticator App and Push Notification

During enrollment, you may choose not to use OTP Push Notification by selecting Decline on the Push Authentication page, in which case, you can still use regular (non-push) OTP.

Important: If you do not select ACCEPT on the Push Notification page, Push Notification will not be enabled. If you want to enable it in the future, you can do so by navigating to the DigitalPersona App in Settings/Notifications on your iOS device or the equivalent location on your Android device,

On the Credential Manager, One-Time Password page, you can download an OTP authentication app, and then enroll the OTP credential for use with the authenticator app and OTP Push Notification (if configured).

The steps to enrolling a software-based OTP token to be used with an authenticator app or OTP Push Notification are:

  1. Download an Authenticator App.

  2. Set Up a DigitalPersona Account on Your Device.

  3. Sign in to the DigitalPersona Mobile App.

  4. Enroll the OTP Credential.

Download an Authenticator App

  1. From the DigitalPersona Console, click Credential Manager, and then click the One-Time Password tile.

  2. On the One-Time Password page, select Software token as the token type if it is not already selected. (It is the default.)

  3. Click the Download phone app link to display a dialog where you can download and install the authenticator app for your device.

  4. Select your device’s app store, and then scan the QR code provided or click the corresponding Download link.

    The DigitalPersona app is currently available in the Apple Store and on Google Play.

    For the Windows and Blackberry mobile platforms, the Microsoft and Google Authenticator apps provide nearly identical functionality, although setup and enrollment steps may vary slightly.

  5. Scanning the QR code with a QR Code scanner app on your device is the simplest procedure. It will automatically open your device’s default web browser and display the product page for the selected authentication app so that you can download and install the app.

  6. Clicking the Download link will open the selected app store in your computer’s default browser. Some app stores may require signing in and/or downloading the app and copying it to your device.

    The instructions that follow are for the DigitalPersona app as installed on an iPhone. Instructions for the use of other authentication apps and devices may differ slightly.

Set Up a DigitalPersona Account on Your Device

  1. Launch the DigitalPersona mobile app on your device:

    • On iOS - The first time the app is launched, the Register screen displays, with a popup dialog requesting you to allow the app to send you notifications. Click OK to allow DigitalPersona Mobile to send you notifications.

      Note: If you do not allow notifications, you will not be able to use the PUSH notification feature for One Touch Passwords.

    • On Android systems - The first time the app is launched, the Register screen displays.

      Notifications are enabled by default for the app, and therefore PUSH OTP will be operational (if the Privacy Policy is accepted as described below).

  2. Click Register.

  3. Enter and verify a six-digit passcode.

  4. On the Diagnostic and Usage page, accept the defaults or tap an option to deselect it.

  5. On the Accounts screen, click the Camera icon. You will be asked for permission to access your device’s camera. Tap OK if you want to use the camera to scan the QR Code for automatically creating your DigitalPersona Mobile account. If you click Don’t Allow, you will not be able to create an account or use the Authenticator app.

  6. On the Scan QR Code screen, scan the QR code that displays on the One-Time Password Page. Do not scan the same QR code again from the dialog that has the app stores on it which was used to download the app.

  7. If the Push Authentication Server has been previously setup by your DigitalPersona Administrator, Push Authentication will be automatically enabled for your device once you choose to Accept the associated Privacy Policy. If you choose to Decline the Privacy Policy, Push Authentication will not be enabled.

  8. Once the account information is displayed, tap Save. The DigitalPersona Mobile account will be created and the Accounts screen displayed with the new account and your first One-Time Password shown.

  • Manual account creation - this feature is reserved for use by DigitalPersona technicians.

Sign in to the DigitalPersona Mobile App

Once you have registered as described in the previous pages, you can sign in to the app as follows.

  1. Launch the DigitalPersona Mobile app.

  2. Sign In.

    • Fingerprint enabled devices - You can enable fingerprint authentication to the DigitalPersona Mobile app by selecting Enable Touch ID on the Sign In screen or later in the DigitalPersona Mobile Settings. Then touch the fingerprint sensor to sign in.

    • Non-fingerprint enabled devices - Tap Sign In and then enter your six-digit DigitalPersona Mobile passcode.

Enroll the OTP Credential

  1. On the DigitalPersona Console Home page, select Credential Manager, and click ADD on the One-Time Password tile to display the One-Time Password page.

  2. On your device, sign in to the DigitalPersona Mobile app.

  3. On your computer, enter the six-digit verification code displayed in the app and click Save.

OTP for SMS Delivery

On the Credential Manager, One-Time Password page, you can enroll an OTP credential that will transparently generate a time-sensitive code that is sent to your mobile device and display a notification asking you to Allow or Deny its use for authentication.

Enrollment of the SMS delivery feature requires that a DigitalPersona administrator has previously created a Nexmo (https://www.nexmo.com) account and entered Nexmo account information into the OTP setting on the DigitalPersona Server, as described Security\SMS.

To enroll the OTP via SMS credential:

  1. On the One-Time Password page, click the Get One-Time Password via SMS link.

  2. Enter the number for the mobile device that you would like to enroll in order to receive a One-Time Password through SMS delivery.

  3. Click Send.

  4. You will receive an SMS message on your mobile device containing a six-digit verification code.

  5. On your computer, enter the verification code into the Type verification code from the phone field.

  6. The Credential Manager page will re-display and the One-Time Password tile will now show the Change caption, indicating that a One-Time Password credential has been enrolled.

OTP Hardware Token

On the Credential Manager, One-Time Password page, you can enroll a hardware token as a DigitalPersona credential. The hardware device can then be used to generate a code for authentication. Note that hardware tokens must be OATH compliant TOTP (Time-based One-Time Password) or HOTP (HMAC-based One-Time Password) devices.

Typical TOTP hardware tokens:

Typical HOTP hardware tokens:

To enroll an OTP credential using a hardware token:

  1. From the DigitalPersona Console, click Credential Manager, click the One-Time Password tile and, from the Select token type drop-down list, select Hardware token.

  2. Enter the serial number for your hardware token, which is usually found on the back of the device.

    Note: A vendor supplied file associated with a specific set of hardware tokens must have been previously imported to the DigitalPersona Server before the hardware token can be enrolled (see Hardware Tokens Management Utility).

  3. Activate your hardware device. On some hardware tokens, you will simply need to press a button to do so, on others you will need to enter a preselected PIN to display the valid code on your device.

  4. Enter the verification code displayed on your device and click Save.

OTP Sent Through Email

(For AD Users only) If enabled by the administrator through the associated Send OTP by email GPO setting, the option to have a One-Time Password sent to the user’s email address is automatically available (enrolled) upon completing the enrollment of any of the other types of OTP credentials described above.

Note: To authenticate using OTP via SMS or OTP via email, the user’s workstation must be able to connect to the DigitalPersona LDS Server, either within the network, through a VPN or using the VPN-less (web proxy) feature which is enabled through the Allow VPN-less access GPO setting.

Authentication with a One-Time Password

To authenticate with your One-Time Password, use one of the following options depending on from where you are authenticating:

  • At Windows logon, select Sign-in options and then select the One-Time Password (or OTP) tile to display One-Time Password options.

  • On any Verify your Identity screen, select the One-Time Password (or OTP) tile.

You can use an OTP credential in any of the following ways:

  • Select Send push notification to send a One-Time Password to your enrolled mobile device allowing you to Approve or Deny authentication.

  • Select Send SMS to send an SMS message to your enrolled mobile device with a One-Time Password that you can enter on your computer for authentication.

  • Launch your previously registered authentication app on your mobile device and enter the resulting One-Time Password into the entry field on your computer.

  • Activate the display on an enrolled hardware token, and enter the displayed One-Time Password on your computer.

In most cases, enter your One-Time Password into the One-Time Password field on your computer screen and select the arrow button. When using push notification, you do not need to enter the code on your computer, as tapping Approve or Deny on your mobile device automatically authenticates to your computer.

For some types of HOTP tokens, make sure that focus is located on the One-Time Password field, push the button on the HOTP device, and then click on the arrow button.

Note: The OTP displayed in the authentication app changes every 30 seconds and the code on a hardware token device generally changes every 30 to 60 seconds, depending on the manufacturer and any optional configuration by your administrator.

Change your OTP Credential

Once the credential has been enrolled, the word CHANGE will display beneath the OTP tile.

  1. On the Credential Manager page, click CHANGE on the One-Time Password tile.

  2. Confirm that you want to delete the current OTP credential and enroll a new credential.

  3. Enroll the new OTP credential.

Delete your OTP Credential

  1. Once the credential has been enrolled, the word DELETE will display beneath the OTP tile.

  2. On the Credential Manager page, click DELETE on the One-Time Password tile.

  3. Confirm the deletion.

Syncing the HOTP Counter During Authentication

If the de-sync value exceeds the look-ahead window, the user won't be able to authenticate with OTP.

This may be resolved by entering two concatenated HOTP codes during authentication, which will accomplish both re-syncing the HOTP counter and authentication.

The user types two OTP codes in the OTP field and presses Enter

Note:  

  • This will double the length of the entered value, i.e. if a 6-digit OTP code is used, the entered value would be 12 digits.

  • This only works with the Hardware OTP device, and not with other variations of OTP such as TOTP.