Authenticator App


Authenticator apps (eg. Google Authenticator) are a popular way to leverage 6-digit One-Time Passcodes based multi-factor authentication. LoginTC supports the enrollment of software tokens in authenticator apps. This means that organizations that already have the application deployed can continue to leverage it without having to deploy a new smartphone app.

Professional, Business or Enterprise subscription required
See the Pricing page for more information about subscription options.

Supported authenticator apps
Authenticator apps must be compliant with time based TOTP protocol defined in RFC 6238.

  • Google Authenticator
  • Microsoft Authenticator

Enabling Authenticator Apps

To enable or disable authenticator app for a specific application:

  1. Log in to LoginTC Admin
  2. Click Applications
  3. Select the application you want to modify
  4. Select the appropriate application policy
  5. Under Authentication Methods Scroll down to Authenticator App
  6. Select either Enabled or Disabled
  7. Select a timeout in seconds a challenge is valid for. Default is 300 seconds
  8. Scroll down to the bottom of the page and click Save
Compatibility Requirements

Supported LoginTC Connectors

Authenticator App is compatible with all LoginTC Connectors:

  • LoginTC AD FS Connector 1.2.1+
  • LoginTC Windows Logon and RDP Connector 1.2.2+
  • LoginTC OWA Connector 1.3.2+
  • LoginTC RD Web Access Connector 1.4.0+
  • LoginTC RD Gateway SSO Connector 1.0.0+
  • LoginTC RADIUS Connector 3.0.6+

LoginTC RADIUS Connector
Authenticator App is compatible with the LoginTC RADIUS Connector in any Authentication Mode; e.g. Direct, Challenge, Challenge Interactive and Iframe.

Managing Authenticator Apps

Associating with a User

Enrollment Email

Authenticator Apps are issued using a LoginTC Enrollment Link. For more information see: Enrollment Email – Enrollment Link.

To associate an authenticator app with a user:

  1. Log in to LoginTC Admin
  2. Click Users and click the target user
  3. Scroll down to Domain Memberships
  4. Click Send Enrollment Email
  5. The user will receive an email with a link to enroll their authenticator app and complete the association process

Disassociating from a User

To disassociate an authenticator app with a user:

  1. Log in to LoginTC Admin
  2. Click Users and click the target user
  3. Scroll down to Authenticator App
  4. Click Disassociate Software TokenDisassociate
  5. Click Disassociate Software Token
Using Authenticator Apps

Iframe Window

Authenticator authentication with Authentication Mode Iframe for Citrix NetScaler:

The user selects Authenticator App and enters the corresponding 6 digit code from their app.


When authenticating, a user enters their username normally. In the password field, they should should enter their password followed immediately by a comma and the One-Time Password (OTP) displayed on the Authenticator App.

Regular input (without OTP):

username: john.doe
password: johnPassword

Input with OTP:

username: john.doe
password: johnPassword,253340

If the OTP is valid, the user will be authenticated. If the OTP is invalid the user’s request will be denied.

There must not be any spaces between the password, the comma, and the OTP

RADIUS Challenge and Challenge Interactive

Using Authenticator App generated OTPs with Challenge and Challenge Interactive Mode also works. The user simply needs to enter the generated 6 digit code after entering their username and password.

Windows Logon Offline

Coming soon.

For more examples see: Authenticator App