Configure an HOTP one-time password mechanism

The HOTP one-password mechanism relies on a public algorithm to generate the one-time password.

The HOTP client solution and Security Verify Access use the same algorithm to generate the one-time password value. No interaction is required between the client software and the Security Verify Access solution. The algorithm uses a shared secret key and a counter to generate the one-time password value. Every time a new one-time password is generated, the counter value increments on both server and client solutions. No delivery of the one-time password is required. This task describes the steps and properties for configuring a HOTP mechanism. For information about configuring other providers, see:

• Configure a MAC one-time password mechanism
• Configure a TOTP one-time password mechanism
• Configure an RSA one-time password mechanism

When users attempt to log in using HOTP or TOTP and submit an incorrect one-time password, they receive one strike against their account. This strike remains on their account for a configurable duration. By default, the duration is 10 minutes. After that duration, the strike is removed from their account. When users submit multiple incorrect one-time passwords, they can reach a maximum and are then prevented from making another attempt until one of their strikes expires. By default, the maximum is 5. If the users log in successfully, any strikes on their account are cleared. Strikes are shared between TOTP and HOTP. For example, if the users made two incorrect attempts using TOTP, those strikes count against them on HOTP as well. Because user retries affect only TOTP and HOTP logins, users who exceeded password attempt using those logins can still use other OTP provider logins or basic username/password authentication. We can modify the password retry settings through the Advanced Configuration settings in the local management interface. For more information, see Manage advanced configuration.

Steps

1. Log in to the local management interface.
2. Click AAC.
3. Under Policy, click Authentication.
4. Click Mechanisms.
5. Click HOTP One-time Password.
6. Click .
7. Click the Properties tab.
   1. Select a property that we want to configure.
   2. Click .
   3. Enter the value for that property.
   4. Click OK.

8. Take note of the properties for the mechanism.

   HOTP

   Max Counter Lookahead

   The number of times to increment the counter to see whether the one-time password is valid before stopping. Any non-negative number is valid.

   The default is 25.

   Password Length

   The length of the generated one-time passwords, which can be 6 - 9 characters or numbers.

   The default is 6.

   Generation Algorithm

   The algorithm used to generate the one-time password. Valid options include the following algorithms:

   • HmacSHA1
   • HmacSHA256
   • HmacSHA512

   The default is HmacSHA1.

   Secret key URL

   The URL used to deliver the secret key. The QR code is also generated using this URL. The URL format might include information specific to the environment, such as company name. The default URL is:

   otpauth://hotp/Example:@USER_NAME@?secret=@SECRET_KEY
   @&issuer=Example&counter=0

   The URL supports the following macros and may be positioned wherever their corresponding values belong.

   @SECRET_KEY@

   The secret key.

   @USER_NAME@

   The user name of the authorized user who logs in.

   @ALGORITHM@

   The one-time password generation algorithm.

   @DIGITS@

   The one-time password length.

   A secret key URL example to utilize all macros is:

   otpauth://hotp/Example:@USER_NAME@?secret=@SECRET_KEY@&issuer=Example
   &counter=0&algorithm=@ALGORITHM@&digits=@DIGITS@

   Secret key attribute name

   The attribute name used for storage of the HOTP secret key in the database.

   Data type: String

   Example: otp.hmac.hotp.secret.key

   Secret key attribute namespace

   The attribute namespace of the HOTP secret key. The namespace in combination with the attribute name constitutes the unique identifier for the attribute in the database.

   Data type: String

   Example: urn:ibm:security:otp:hmac

9. Click Save.

What to do next

When we configure the mechanism, a message indicates that changes are not deployed. Deploy changes when you are finished. For more information, see Deploying pending changes.

Parent topic: Authentication