OATH HOTP Hardware Authenticators
a month ago

OATH HOTP Hardware Authenticators

OATH HOTP is an event-based One-Time Password (OTP) authentication method. An event-based OTP is generated by combining an integer number, called a counter, with an OTP seed using the OATH HOTP algorithm. Each authenticator has its own counter and the Cloud Access Service (CAS) stores the last known counter value for each authenticator.

Administrators can assign OATH HOTP hardware authenticators to CAS users and manage authenticators in the Cloud Administration Console. The OATH HOTP OTP authentication is a two-factor authentication, where users enter a PIN (something the user knows) plus an OTP generated by the authenticator (something the user has).

Users can access and manage their OATH HOTP authenticators via My Page. They can either activate their assigned OATH HOTP authenticators or register them through My Page. During authentication, CAS validates the OTP and PIN, similar to other cloud-based authentication methods.

For instructions, see the following sections:

Obtain OATH HOTP Hardware Authenticator from a Manufacturer

Procedure 

  1. Request OATH HOTP hardware authenticators from a manufacturer. You need the OTP seed files.

  2. Decrypt the OTP seed files.

Configure Authentication Settings for Your Deployment

To configure settings that affect how OATH HOTP authenticators are used in your deployment, perform the following:

  • Set an assurance level for the OATH HOTP authentication method. For information, see Assurance Levels.

  • Allow users to register OATH HOTP authenticators via My Page. For information, see the "Set Up My Authenticators Settings" section on Manage My Page

  • Configure CAS to automatically send a confirmation email to users after they register their OATH HOTP hardware authenticators. For information, see Configure Email Notifications.

Configure OATH HOTP Counter Drift

The OATH HOTP authentication method generates OTPs based on a counter and a secret seed. Each authenticator has its own counter, and CAS stores the last known counter value for each authenticator. During authentication, both the authenticator and CAS generate OTPs, and successful authentication occurs if the OTPs match. However, if a user generates OTPs on an authenticator but does not use them for authentication, the counter on the user's OATH HOTP authenticator advances while the counter on the CAS for that authenticator does not. This causes the counters to become unsynchronized, which is also known as "Counter Drift."

Administrators can set the acceptable level of "Counter Drift" for each of these windows:

  • Validation Window: CAS uses this window to check for OTP matches during authentication. Users need to enter only one OTP for successful authentication.

  • Inline Synchronization Window: This is the window in which, if an OTP matches, users will be prompted to perform an inline counter synchronization process. During this process, users need to enter two consecutive OTPs for successful authentication and counter synchronization.

  • Manual Synchronization Window: This window is used for manual counter synchronization that a user performs through My Page. It occurs when the counter on the user's OATH HOTP authenticator has drifted beyond the Inline Synchronization Window, preventing inline synchronization during the authentication process. Users exit the authentication process and manually synchronize their counters on My Page by entering two consecutive OTPs.

These windows determine the acceptable "Counter Drift" between the authenticator and CAS before corrective action is needed to maintain security.

Procedure 

  1. In the Cloud Administration Console, click Access > OATH OTP Authentication.

  2. Adjust the slider to decrease or increase the security level for each validation window, ranging from High Security to Low Security.

    Note:  The value of the Inline Sync Window must be greater than that of the Validation Window. Additionally, the value of the Manual Sync Window must be greater than the Inline Sync Window.

  3. Click Save.

Upload OATH HOTP OTP Seed Files to CAS

Procedure 

  1. In the Cloud Administration Console, click Users > Hardware Authenticators.

  2. In the Hardware Authenticator Actions drop-down list, select Upload OATH HOTP OTP Seeds.

  3. In the Manufacturer drop-down list, select a device manufacturer. If you choose Yubico, RSA/Swissbit, or Thales as the manufacturer, select a model in the Model drop-down list.

    Selecting Other is not recommended. If your device manufacturer is not listed, contact RSA Technical Support for assistance.

  4. In the OTP Digits drop-down list, select the number of digits in the OTPs generated when the OTP authenticators are seeded.

  5. In the Display drop-down list, select whether a display is available for showing the OTP. The Display value is set to Has LCD for the authenticator models that have an LED or other screen to display an OTP. The value is set to No LCD for the security key form factor authenticators. If the value in the Manufacturer drop-down list is set to Other, select the Display value manually.

  6. Select a value based on the hashing algorithm configured for the OTP seed when it was added. The available options are: SHA-1, SHA-256, and SHA-512.

  7. (Optional) In the FIDO Support, Smart Card Support, and FIPS 140 Certified fields, select one of these options: Yes, No, or Unspecified.

  8. (Optional) Enter the Firmware Version.

  9. Click Choose File and select the OTP seeds file you want to upload. The file must be in CSV format and contain the following values in this order: serial number, seed, and counter. The seed values must be encoded in Base32.

If you selected Yubico as the manufacturer, the field Yubico CSV File Format appears. You have to specify the format as either Yubico Format or OATH Standard. Select Yubico Format if you are using pre-seeded or self-seeded YubiKeys.

  1. Click Upload.

Note:  If you plan to use OATH HOTP hardware authenticators that were previously ordered and shipped, make sure you have the decrypted authenticator seed files.

You can view the total number of the uploaded hardware authenticators and the total number of unassigned hardware authenticators on the Hardware Authenticators OTP Seed Management page.

To assign OATH HW authenticators to users, see the Assign a Hardware Authenticator to a User on the Manage Users for Cloud Access Service page.

Distribute Authenticators to Users

Procedure 

  1. Send unassigned authenticators to users.

  2. Instruct users to go to My Page to register their authenticator and test authentication.

If preferred, you can assign authenticators to each user before distribution. Upon receiving their authenticators, users must go to My Page to activate the preregistered authenticators and test authentication.

Delete OATH HOTP Hardware Authenticators

After you delete an authenticator, it cannot be used for authentication.

Procedure 

  1. In the Cloud Administration Console, click Users > Hardware Authenticators.

  2. From the Hardware Authenticator Actions drop-down menu, select Delete OATH HOTP HW Authenticators.

  3. Select the Manufacturer and Model.

  4. Enter the serial number of the OATH OTP authenticator you want to delete and click Search. The matching result(s) will appear.

  5. Click Delete.

    This operation may take several minutes to complete, depending on how many authenticators are being deleted.

 

To manage users' OATH HOTP hardware authenticators, see Manage Users for Cloud Access Service

Don't see what you're looking for?