OTP Generation

View this page for | |

Once the keys are provisioned, the device is ready to generate One-Time Passwords. OTPs are typically used to authenticate an end user to an application that delegates authentication to the HID authentication platform.

OTP Generation Workflow

The HID Approve SDK supports the following synchronous OTP algorithms:

  • HOTP (RFC 4226 HMac-Based One-Time Password Algorithm)
  • TOTP (RFC 6238 Time-Based One-Time Password Algorithm)

It also supports the following asynchronous (challenge/response) algorithm:

  • OCRA (RFC 6287 OATH Challenge-Response Algorithm)
Note: An OTP can be generated while the mobile device is offline (that is, without an internet connection).

Synchronous OTP Generation

The mobile application generates an OTP as follows:

  1. Create an instance of the Device (DeviceFactory.getDevice).
  2. Get the instance of the Container (Device.findContainers).
  3. Find the key with usage KEY_PROPERTY_USAGE_OTP (Container.findKeys).
  4. Check if the protection policy is a password policy, and prompt the user as required (Key.getProtectionPolicy).
  5. Get the OTP generator (Key.getDefaultOTPGenerator).
  6. Verify it is a SyncOTPGenerator and get the OTP (SyncOTPGenerator.getOTP).

Sample OTP Generation on Android

Copy
// Get Device instance with default connection configuration
Device device = DeviceFactory.getDevice(ctx, null);
 
// Get all containers; here we assume there is only one
Container[] containers = device.findContainers(new Parameter[0]);
 
// Find keys for usage OTP; here we assume there is only one
// If more than one is configured, then label can be used to distinguish them
Parameter[] filter = new Parameter[]{new Parameter(SDKConstants.KEY_PROPERTY_USAGE, SDKConstants.KEY_PROPERTY_USAGE_OTP)};
Key[] keys = containers[0].findKeys(filter);
Key otpKey = keys[0];
 
// Get default OTP generator for this key.
OTPGenerator otpGenerator = otpKey.getDefaultOTPGenerator();
 
// Get the next OTP.
// We assume the generator is Synchronous (HOTP or TOTP algorithms)
// We assume the key is not password protected (password null)
char[] nextOtp = ((SyncOTPGenerator)otpGenerator).getOTP(null);

Challenge / Response Authentication

For now, only OCRA algorithm is supported. The algorithm provides mechanisms that leverage the HOTP algorithm and offer one-way and electronic signature capabilities (these are called algorithm modes).

Refer to RFC 6287 for further details. This section only describes how to handle the two algorithm modes for authentication with the HID Approve SDK.

Note: Only one-way authentication and signature algorithm modes are supported by the SDK. The modes are configured in the HID authentication platform in the credential type.

Getting Asynchronous OTP Generator

  1. Regardless of the algorithm mode, the first operation is to get the AsyncOTPGenerator instance (see code snippets for synchronous OTP generation above).
  2. Create an instance of the Device (DeviceFactory.getDevice).
  3. Get the instance of the Container (Device.findContainers).
  4. Find the key with usage KEY_PROPERTY_USAGE_OTP (Container.findKeys).
  5. Check if the protection policy is a password policy, and prompt the user as required (Key.getProtectionPolicy).
  6. Get the OTP generator (Key.getDefaultOTPGenerator).
  7. Verify it is a AsyncOTPGenerator.

One-Way Authentication

For this use case, the OTP generator computes a response from a challenge provided by the authentication server (typically, the challenge is displayed by the web application of the service provider, or sent by email or sms).

  1. Check AUTHMODE_CHALLENGE_RESPONSE is supported by the key:
    1. Get the algorithm parameters (OTPGenerator.getAlgorithmParameters – will be an instance of OCRAParameters).
    2. Get the supported algorithm modes (AlgorithmParameters.getModes).
  2. Get the server OCRA suite – because the challenge comes from the server (OCRAParameters.getServerOcraSuite).
  3. Check whether PIN or session data are required (OCRASuite.isPinRequired, OCRA.isSessionRequired).
  4. If one or both are required, it is the application’s responsibility to get them.

  5. Compute the response (AsyncOTPGenerator.computeResponse).

Sample Challenge / Response on Android

Copy
// Get Device instance with default connection configuration
Device device = DeviceFactory.getDevice(ctx, null);
 
// Get all containers; here we assume there is only one
Container[] containers = device.findContainers(new Parameter[0]);
 
// Find keys for usage OTP; here we assume there is only one
// If more than one is configured, then label can be used to distinguish them
Parameter[] filter = new Parameter[]{new Parameter(SDKConstants.KEY_PROPERTY_USAGE, SDKConstants.KEY_PROPERTY_USAGE_OTP)};
Key[] keys = containers[0].findKeys(filter);
Key otpKey = keys[0];
 
// Get default OTP generator for this key.
// Here, we assume the generator is Asynchronous (OCRA algorithm)
AsyncOTPGenerator otpGenerator = (AsyncOTPGenerator)otpKey.getDefaultOTPGenerator();
 
// We assume the challenge/response mode is supported.
// We assume the PIN and session data are not required.
// We assume the OTP key is not password protected.
// Compute the response
InputOCRAParameters inputOcraParameters = new InputOCRAParameters(null, null);
char[] otp = asyncOTPGenerator.computeResponse(null,challenge,inputOcraParameters);
 

Signature Authentication

For this use case, the end user supplies a number of strings to concatenate in order to form a challenge client-side. For example, to sign a bank transaction, the bank portal might ask the end user to sign the:

  • Account number (“11223344”)
  • Amount (“100EUR”)
  • Beneficiary (“JohnDoe”)

The mobile application can use the SDK to format the challenge from these input strings (HIDAsyncOTPGenerator.formatSignatureChallenge) using the values (not the associated labels).

The SDK formats the challenge based on the server OCRA suite configured server-side, following OCRA Standalone Client Profile v1.0 (section 3.2.4, c, d and e).

The OTP generator computes the response based on this challenge.

Sample OCRA Signature on Android

Copy
// We assume the signature mode is supported.
// The end-user has filled the form, input strings are in inputStrings, array of char[]
// Format the challenge
char[] challenge = asyncOTPGenerator.formatSignatureChallenge(inputStrings);
 
// We assume the PIN and session data are not required.
// We assume the OTP key is not password protected.
// Compute the response
InputOCRAParameters inputOcraParameters = new InputOCRAParameters(null, null);
char[] otp = asyncOTPGenerator.computeSignature(null,challenge, null, inputOcraParameters);