OTP Generation

View this page for | |

Once the keys are provisioned, the device is ready to generate One-Time Passwords. OTPs are typically used to authenticate an end user to an application that delegates authentication to the HID authentication platform.

OTP Generation Workflow

The HID Approve SDK supports the following synchronous OTP algorithms:

  • HOTP (RFC 4226 HMac-Based One-Time Password Algorithm)
  • TOTP (RFC 6238 Time-Based One-Time Password Algorithm)

It also supports the following asynchronous (challenge/response) algorithm:

  • OCRA (RFC 6287 OATH Challenge-Response Algorithm)
Note: An OTP can be generated while the mobile device is offline (that is, without an internet connection).

Synchronous OTP Generation

The mobile application generates an OTP as follows:

  1. Create an instance of the Device (DeviceFactory.GetDevice).
  2. Get the instance of the Container (IDevice.FindContainers).
  3. Find the key with usage KEY_PROPERTY_USAGE_OTP (IContainer.FindKeys).
  4. Check if the protection policy is a password policy, and prompt the user as required (IKey.GetProtectionPolicy).
  5. Get the OTP generator (IKey.GetDefaultOTPGenerator).
  6. Verify it is a ISyncOTPGenerator and get the OTP (ISyncOTPGenerator.GetOTP).

Sample OTP Generation on Windows (C#)

Copy 
// We assume that you have already provisioned a container with otp keys
var connectionConfiguration = new ConnectionConfiguration();

// Get Device instance with default connection configuration
var device = await DeviceFactory.GetDevice(connectionConfiguration);

// Get all containers; here we assume there is only one
IList<IContainer> containers = await device.FindContainers(null);

// Find keys for usage OTP; here we assume there is only one
// If more than one is configured, then label can be used to distinguish them
IList<Parameter> filter = new List<Parameter>() { new Parameter(Constants.KEY_PROPERTY_USAGE, Constants.KEY_PROPERTY_USAGE_OTP) };
IList<IKey> keys = await containers[0].FindKeys(filter);
IKey otpKey = keys[0];

// Get default OTP generator for this key.
IOTPGenerator otpGenerator = await otpKey.GetDefaultOTPGenerator();

// Get the next OTP.
// We assume the generator is Synchronous (HOTP or TOTP algorithms)
// We assume the key is not password protected (password null)
char[] nextOtp = await (otpGenerator as ISyncOTPGenerator).GetOtp(myPassword);

Challenge / Response Authentication

For now, only OCRA algorithm is supported. The algorithm provides mechanisms that leverage the HOTP algorithm and offer one-way and electronic signature capabilities (these are called algorithm modes).

Refer to RFC 6287 for further details. This section only describes how to handle the two algorithm modes for authentication with the HID Approve SDK.

Note: Only one-way authentication and signature algorithm modes are supported by the SDK. The modes are configured in the HID authentication platform in the credential type.

Getting Asynchronous OTP Generator

  1. Regardless of the algorithm mode, the first operation is to get the IAsyncOTPGenerator instance (see code snippets for synchronous OTP generation above).
  2. Create an instance of the Device (DeviceFactory.GetDevice).
  3. Get the instance of the Container (IDevice.FindContainers).
  4. Find the key with usage KEY_PROPERTY_USAGE_OTP (IContainer.FindKeys).
  5. Check if the protection policy is a password policy, and prompt the user as required (Key.getProtectionPolicy).
  6. Get the OTP generator (IKey.GetDefaultOTPGenerator).
  7. Verify it is a IAsyncOTPGenerator.

One-Way Authentication

For this use case, the OTP generator computes a response from a challenge provided by the authentication server (typically, the challenge is displayed by the web application of the service provider, or sent by email or sms).

  1. Check AUTHMODE_CHALLENGE_RESPONSE is supported by the key:
    1. Get the algorithm parameters (IOTPGenerator.GetAlgorithmParameters – will be an instance of OCRAParameters).
    2. Get the supported algorithm modes (AlgorithmParameters.GetModes).
  2. Get the server OCRA suite – because the challenge comes from the server (OCRAParameters.GetServerOcraSuite).
  3. Check whether PIN or session data are required (OCRASuite.IsPinRequired, OCRA.IsSessionRequired).

    4. If one or both are required, it is the application’s responsibility to get them.

  4. Compute the response (IAsyncOTPGenerator.ComputeResponse).

Sample Challenge / Response on Windows (C#)

Copy 
// Get default OTP generator for this key.
IOTPGenerator asyncOTPGenerator = await otpKey.GetDefaultOTPGenerator();


// With an ocra algorithm, inputs data depends of the algorithm used.
// You can get parameters specific to the generator and key.
// The type of parameters depends on the generator name
Debug.WriteLine("Generator name: " + asyncOTPGenerator.GetName());
Debug.WriteLine("Generator type: " + asyncOTPGenerator.GetType());


OCRAParameters ocraParameters = (OCRAParameters)await asyncOTPGenerator.GetAlgorithmParameters();

// Get the authentication modes supported from parameters
Debug.WriteLine("Generator modes: " + ocraParameters.Modes);

// We assume the challenge/response mode is supported.
// We assume the OTP key is not password protected. ( password null )

// Check if pin or session is required and set it in InputOCRAParameters if so
// You can validate the server challenge against the expected format
OCRASuite ocraSuite = ocraParameters.ServerOcraSuite;

// Check if pin or session is required and set it in InputOCRAParameters if so
char[] pin = null;
char[] session = null;
if (ocraSuite.IsPinRequired) pin = "some pin".ToCharArray();
if (ocraSuite.IsSessionRequired) session = "some session data".ToCharArray();
InputOCRAParameters inputOcraParameters = new InputOCRAParameters(pin, session);

// Get the next OTP.
// We assume the generator is Synchronous (HOTP or TOTP algorithms)
// We assume the key is not password protected (password null)
char[] otp = await (asyncOTPGenerator as IAsyncOTPGenerator).ComputeResponse(myPassword, "Challenge_provided".ToCharArray(), inputOcraParameters);

Signature Authentication

For this use case, the end user supplies a number of strings to concatenate in order to form a challenge client-side. For example, to sign a bank transaction, the bank portal might ask the end user to sign the:

  • Account number (“11223344”)
  • Amount (“100EUR”)
  • Beneficiary (“JohnDoe”)

The mobile application can use the SDK to format the challenge from these input strings (HIDAsyncOTPGenerator.formatSignatureChallenge) using the values (not the associated labels).

The SDK formats the challenge based on the server OCRA suite configured server-side, following OCRA Standalone Client Profile v1.0 (section 3.2.4, c, d and e).

The OTP generator computes the response based on this challenge.

Sample OCRA Signature on Windows (C#)

Copy 
// We assume the signature mode is supported.
// We assume the OTP key is not password protected. ( password null )
// We assume required parameter set :
InputOCRAParameters inputOcraParameters = new InputOCRAParameters(pin, session);

char[][] inputStrings = new char[][] { INPUT1, INPUT2, INPUT3 };
// The end-user has filled the form, input strings are in inputStrings, array of char[]
// Format the challenge
char[] challenge = await (asyncOTPGenerator as IAsyncOTPGenerator).FormatSignatureChallenge(inputStrings);


// Compute the signature for one-way or two-way signature. For one-way signature, clientChallenge is empty.
char[] otp = await (asyncOTPGenerator as IAsyncOTPGenerator).ComputeSignature(myPassword, challenge, null, inputOcraParameters);