PhenixID OTP Administration

PhenixID OTP Administration is a tool used by administrators managing PINs and tokens on behalf of other users.

The following user attributes can be searched/managed:

  • Username (search only)
  • First name
  • Last name
  • Email
  • Mobile

The following token types are supported:

  • Prefetch tokens (list of static OTPs assigned to a user)
  • Software tokens (PhenixID Pocket Pass, Google Authenticator etc)
  • Hardware tokens (OATH)
  • PhenixID One Touch

Configuration

 

User store connection

Connection to the LDAP service containing users to manage. Create new or select existing.

LDAP search settings

  • Search base: The search base to use when searching for users. Used for both authentication and searching for users to manage.
  • User identifier attribute: LDAP attribute uniquely identifying users. Used for authentication and search
  • Administrator role detection attribute: Attribute used for administrator role detection. If not specified, all users in the configured store can use the application (not recommended).
  • Administrator role detection value: Value used for administrator role detection.

Administrator role detection attribute and value are used for creating a search filter matching administrators only.

Attribute settings

Select which user attributes to include in search and edit and select/specify attribute names.

  • Username (Attribute name specified in LDAP search settings)
  • First name
  • Last name
  • Mail
  • Mobile

 

Features

Features can be enabled/disabled by configuration.

Features

PIN

PINs are 4 digit codes to be used for adding extra security when authenticating users. PINs are often used in combination with OTPs.

Configuration

  • Attribute: the LDAP attribute for storing the PIN. PIN will be stored in this attribute as a salted hash.

Note: To use PINs, you need enable PIN support in your authentication guide(s)

Prefetch OTP

Prefetch OTPs are OTPs generated and distributed in advance to a user.

OTPs are generated in a batch and the same validity time applies for all OTPs in a batch. A user can only have one batch of OTPs assigned at a given time.

List of prefetch OTPs can be printed or sent to the user using email or SMS.

OTPs can be revoked at any time.

Configuration

  • OTP length: length of OTPs to generate. Can be of any length, the longer the more secure.
  • Number of OTPs: Number of OTPs to generate in a batch.
  • Require OTPs to be used in the defined order: Enable/disable the requirement to use the OTPs in the order they are defined in the batch.
  • Number of days OTPs are valid: The number of days the generated OTPs are valid and can be used for authentication.
  • Enable SMS: Enable/disable support for distributing OTPs to user via SMS *
  • Enable mail: Enable/disable support for distributing OTPs to user via mail *

*) Requires Messaging module - will be configured if not already existing

Software tokens

Assign and revoke end user software tokens like PhenixID Pocket Pass and Google Authenticator used for multifactor authentication.

In the current version only time based, 6 digits OTP are supported.

Configuration

  • Base URL: The base url for token provisioning. See provisioning below for details.
  • Issuer: Display name of token issuer. Visible in token application. Use your organisation name.
  • Validity days: The number of days the token is valid and can be used for authentication.
  • Enable SMS: Enable/disable support for distributing token activation urls to user via SMS *
  • Enable mail: Enable/disable support for distributing token activation urls to user via mail *

*) Requires Messaging module - will be configured if not already existing

Provisioning

Tokens are provisioned by sending an activation url to the user (mail) or the device (sms). This url must point back to the actual PhenixID server running the OTP Administration module. During configuration the guide tries to figure out what address and port to use. If your PhenixID server is directly accessible by user devices, there is most likely no reason for you to change this url (as long as it doesn't say localhost/127.0.0.1), but if your server is located in a DMZ, behind a firewall, load balancer or reverse proxy you must change the base url to an url accessible by user devices ending up at '/otpadmin/otpadmin/provision/otpauth/'. Note that this is an base url, additional paths and attributes will be appended.

Example: If your PhenixID server is running on a private DMZ network listening to 10.0.1.123:8080 and you have a reverse proxy accessible by user devices listening on otp.company.org:80 you must configure an url (for example: /extpath/) on the reverse proxy pointing to '10.0.1.123:8080/otpadmin/otpadmin/provision/otpauth/'. In this case you should set the following base url: http://otp.company.org/extpath/

Hardware tokens

Assign and revoke end user hardware (physical) tokens used for multifactor authentication.

Requires hardware token manager to be configured. Will be configured if not already existing.

One Touch

Enable enrollment of One Touch tokens. Requires One Touch to be configured.