OTP Generation

View this page for | |

Once the keys are provisioned, the device is ready to generate One-Time Passwords. OTPs are typically used to authenticate an end user to an application that delegates authentication to the HID authentication platform.

OTP Generation Workflow

The HID Approve SDK supports the following synchronous OTP algorithms:

  • HOTP (RFC 4226 HMac-Based One-Time Password Algorithm)
  • TOTP (RFC 6238 Time-Based One-Time Password Algorithm)

It also supports the following asynchronous (challenge/response) algorithm:

  • OCRA (RFC 6287 OATH Challenge-Response Algorithm)
Note: An OTP can be generated while the mobile device is offline (that is, without an internet connection).

Synchronous OTP Generation

The mobile application generates an OTP as follows:

  1. Create an instance of the Device (HIDDeviceFactory.newInstance).
  2. Get the instance of the Container (HIDDevice.findContainers).
  3. Find the key with usage HIDKEY_PROPERTY_USAGE_OTP (HIDContainer.findKeys).
  4. Check if the protection policy is a password policy, and prompt the user as required (HIDKey.getProtectionPolicy).
  5. Get the OTP generator (HIDKey.getDefaultOTPGenerator).
  6. Verify it is a HIDSyncOTPGenerator and get the OTP (HIDSyncOTPGenerator.getOTP).

Sample OTP Generation on iOS (Objective-C)

Copy 
OTP Sample
// Get Device instance with default connection configuration
NSError* error;
HIDConnectionConfiguration* connectionConfig = [[HIDConnectionConfiguration alloc]init];
id<HIDDevice> pDevice = [[HIDDeviceFactory alloc] newInstance:connectionConfig error:&error];

// Get first container (we assume there is only one)
NSMutableArray* filterContainers = [[NSMutableArray alloc] init];
NSArray* pContainers = [pDevice findContainers:filterContainers error:&error];
id<HIDContainer> pContainer = [pContainers objectAtIndex:0];

// Find keys for usage OTP; here we assume there is only one
// If more than one is configured, then label can be used to distinguish them
NSMutableArray* filter = [[NSMutableArray alloc] init];
[filter addObject:[HIDParameter parameterWithString:HID_KEY_PROPERTY_USAGE_OTP forKey:HID_KEY_PROPERTY_USAGE]];
NSArray* keys = [pContainer findKeys:filter error:&error];
id<HIDKey> pKey = [keys objectAtIndex:0];

// Get default OTP generator for this key.
id<HIDOTPGenerator> pOTPGenerator = [pKey getDefaultOTPGenerator:&error];

// Get the next OTP.
// We assume the generator is Synchronous (HOTP or TOTP algorithms)
// We assume the key is not password protected (password null)
NSString* otp = [((id<HIDSyncOTPGenerator>)pOTPGenerator) getOTP:nil error:&error];

Challenge / Response Authentication

For now, only OCRA algorithm is supported. The algorithm provides mechanisms that leverage the HOTP algorithm and offer one-way and electronic signature capabilities (these are called algorithm modes).

Refer to RFC 6287 for further details. This section only describes how to handle the two algorithm modes for authentication with the HID Approve SDK.

Note: Only one-way authentication and signature algorithm modes are supported by the SDK. The modes are configured in the HID authentication platform in the credential type.

Getting Asynchronous OTP Generator

  1. Regardless of the algorithm mode, the first operation is to get the HIDAsyncOTPGenerator instance (see code snippets for synchronous OTP generation above).
  2. Create an instance of the Device (HIDDeviceFactory.getDevice).
  3. Get the instance of the Container (HIDDevice.findContainers).
  4. Find the key with usage HIDKEY_PROPERTY_USAGE_OTP (HIDContainer.findKeys).
  5. Check if the protection policy is a password policy, and prompt the user as required (HIDKey.getProtectionPolicy).
  6. Get the OTP generator (HIDKey.getDefaultOTPGenerator).
  7. Verify it is a HIDAsyncOTPGenerator.

One-Way Authentication

For this use case, the OTP generator computes a response from a challenge provided by the authentication server (typically, the challenge is displayed by the web application of the service provider, or sent by email or sms).

  1. Check HIDAUTHMODE_CHALLENGE_RESPONSE is supported by the key:
    1. Get the algorithm parameters (HIDOTPGenerator.getAlgorithmParameters – will be an instance of HIDOCRAParameters).
    2. Get the supported algorithm modes (HIDOCRAAlgorithmParameters.getModes).
  2. Get the server OCRA suite – because the challenge comes from the server (HIDOCRAParameters.getServerOcraSuite).
  3. Check whether PIN or session data are required (HIDOCRASuite.isPinRequired, HIDOCRA.isSessionRequired).

    4. If one or both are required, it is the application’s responsibility to get them.

  4. Compute the response (HIDAsyncOTPGenerator.computeResponse).

Sample Challenge / Response on iOS (Objective-C)

Copy 
// Get Device instance with default connection configuration
NSError* error;
HIDConnectionConfiguration* connectionConfig = [[HIDConnectionConfiguration alloc]init];
id<HIDDevice> pDevice = [[HIDDeviceFactory alloc] newInstance:connectionConfig error:&error];

// Get all containers; here we assume there is only one
NSMutableArray* filterContainers = [[NSMutableArray alloc] init];
NSArray* pContainers = [pDevice findContainers:filterContainers error:&error];
id<HIDContainer> pContainer = [pContainers objectAtIndex:0];

// Find keys for usage OTP; here we assume there is only one
// If more than one is configured, then label can be used to distinguish them
NSMutableArray* filter = [[NSMutableArray alloc] init];
[filter addObject:[HIDParameter parameterWithString:HID_KEY_PROPERTY_USAGE_OTP forKey:HID_KEY_PROPERTY_USAGE]];
NSArray* keys = [pContainer findKeys:filter error:&error];
id<HIDKey> pKey = [keys objectAtIndex:0];

// Get default OTP generator for this key.
// Here, we assume the generator is Asynchronous (OCRA algorithm)
id<HIDAsyncOTPGenerator> pOTPGenerator = (id<HIDAsyncOTPGenerator>)[pKey getDefaultOTPGenerator:&error];

// We assume the challenge/response mode is supported.
// We assume the PIN and session data are not required.
// We assume the OTP key is not password protected.
// Compute the response
HIDOCRAInputAlgorithmParameters *inputOcraParameters = [[HIDOCRAInputAlgorithmParameters alloc]init];
NSString* otp = [asyncOtpGenerator computeResponse:nil withChallenge:challenge withInputParams: inputOcraParameters error:&error];

Signature Authentication

For this use case, the end user supplies a number of strings to concatenate in order to form a challenge client-side. For example, to sign a bank transaction, the bank portal might ask the end user to sign the:

  • Account number (“11223344”)
  • Amount (“100EUR”)
  • Beneficiary (“JohnDoe”)

The mobile application can use the SDK to format the challenge from these input strings (HIDAsyncOTPGenerator.formatSignatureChallenge) using the values (not the associated labels).

The SDK formats the challenge based on the server OCRA suite configured server-side, following OCRA Standalone Client Profile v1.0 (section 3.2.4, c, d and e).

The OTP generator computes the response based on this challenge.

Sample OCRA Signature on iOS (Objective-C)

Copy 
// We assume the signature mode is supported.
// The end-user has filled the form, input strings are in inputStrings, NSArray of NSString
// Format the challenge
NSString* challenge = [asyncOTPGenerator formatSignatureChallenge:inputStrings error:&error];
 
// We assume the PIN and session data are not required.
// We assume the OTP key is not password protected.
// Compute the response
HIDOCRAInputAlgorithmParameters *inputOcraParameters = [[HIDOCRAInputAlgorithmParameters alloc]init];
NSString* otp = [asyncOtpGenerator computeSignature:nil withSigChallenge:challenge withClientChallenge:nil withInputParams: inputOcraParameters error:&error];