Configuring an HOTP one-time password mechanism

The HOTP one-password mechanism relies on a public algorithm to generate the one-time password.

About this task

The HOTP client solution and the Security Access Manager use the same algorithm to generate the one-time password value. No interaction is required between the client software and the Security Access Manager solution. The algorithm uses a shared secret key and a counter to generate the one-time password value. Every time a new one-time password is generated, the counter value increments on both server and client solutions. No delivery of the one-time password is required.

This task describes the steps and properties for configuring a HOTP mechanism. For information about configuring other providers, see:

Note: When users attempt to log in using HOTP or TOTP and submit an incorrect one-time password, they receive one strike against their account. This strike remains on their account for a configurable duration. By default, the duration is 10 minutes. After that duration, the strike is removed from their account. When users submit multiple incorrect one-time passwords, they can reach a maximum and are then prevented from making another attempt until one of their strikes expires. By default, the maximum is 5. If the users log in successfully, any strikes on their account are cleared. Strikes are shared between TOTP and HOTP. For example, if the users made two incorrect attempts using TOTP, those strikes count against them on HOTP as well. Because user retries affect only TOTP and HOTP logins, users who exceeded password attempt using those logins can still use other OTP provider logins or basic username/password authentication. You can modify the password retry settings through the Advanced Configuration settings in the local management interface. For more information, see Managing advanced configuration.

Procedure

Log in to the local management interface.
Click Secure Mobile Settings.
Under Policy, click Authentication.
Click Mechanisms.
Click HOTP One-time Password.
Click .
Click the Properties tab.
1. Select a property that you want to configure.
2. Click .
3. Enter the value for that property.
4. Click OK.
Take note of the properties for the mechanism.
HOTP
Max Counter Lookahead

The number of times to increment the counter to see whether the one-time password is valid before stopping. Any non-negative number is valid.
The default is 25.

Password Length

The length of the generated one-time passwords, which can be 6 - 9 characters or numbers.
The default is 6.

Generation Algorithm
The algorithm that is used to generate the one-time password. Valid options include the following algorithms:
HmacSHA1

HmacSHA256

HmacSHA512

The default is HmacSHA1.
Secret key URL
The URL that is used to deliver the secret key. The QR code is also generated using this URL. The URL format might include information specific to your environment, such as your company name.

The default URL is:
otpauth://hotp/Example:@USER_NAME@?secret=@SECRET_KEY@&issuer= Example&counter=0
The URL uses two macros. Place these macros in the URL wherever their corresponding values belong.
@SECRET_KEY@

The secret key.

@USER_NAME@

The user name of the authorized user who logs in.

Attention: You must change this URL to the appropriate URL for your environment. For example:
otpauth://hotp/Example:sec_master?secret=4W7O6TZGEZKN5PUY &issuer=Example&counter=0
Secret key attribute name

The attribute name that is used for storage of the HOTP secret key in the database.
Data type: String

Example: otp.hmac.hotp.secret.key

Secret key attribute namespace

The attribute namespace of the HOTP secret key. The namespace in combination with the attribute name constitutes the unique identifier for the attribute in the database.
Data type: String

Example: urn:ibm:security:otp:hmac
Click Save.

What to do next

When you configure the mechanism, a message indicates that changes are not deployed. Deploy changes when you are finished. For more information, see Deploying pending changes.