The HOTP one-password mechanism relies on a public algorithm
to generate the one-time password.
About this task
The HOTP client solution and the Security Access Manager
use the same algorithm to generate the one-time password value. No
interaction is required between the client software and the Security
Access Manager solution. The algorithm uses a shared secret key and
a counter to generate the one-time password value. Every time a new
one-time password is generated, the counter value increments on both
server and client solutions. No delivery of the one-time password
is required.
This task describes the steps and properties for
configuring a HOTP mechanism. For information about configuring other
providers, see:
Note: When users attempt to log in using HOTP or TOTP and submit
an incorrect one-time password, they receive one strike against their
account. This strike remains on their account for a configurable duration.
By default, the duration is 10 minutes. After that duration, the strike
is removed from their account. When users submit multiple incorrect
one-time passwords, they can reach a maximum and are then prevented
from making another attempt until one of their strikes expires. By
default, the maximum is 5. If the users log in successfully, any
strikes on their account are cleared. Strikes are shared between
TOTP and HOTP. For example, if the users made two incorrect attempts
using TOTP, those strikes count against them on HOTP as well. Because
user retries affect only TOTP and HOTP logins, users who exceeded
password attempt using those logins can still use other OTP provider
logins or basic username/password authentication. You can modify the
password retry settings through the Advanced Configuration settings
in the local management interface. For more information, see
Managing advanced configuration.
What to do next
When you configure the mechanism, a message indicates that
changes are not deployed. Deploy changes when you are
finished. For more information, see
Deploying pending changes.