Software OTP Tokens Guide

Overview

LoginTC software tokens are capable of generating One-Time Passwords (OTPs) for accessing resources protected with LoginTC.

Supported Connectors

LoginTC RADIUS Connector supported version: 2.3.0 or higher

In order to leverage OTPs for VPNs and RADIUS devices please upgrade to 2.3.0 or higher.

Beginning with the LoginTC RADIUS Connector 2.3.0, the following are supported:

More coming soon.

Web-Based LoginTC Connectors

All web-based LoginTC connectors support software OTPs. Your users will be prompted for a selection to authenticate with LoginTC Push, or an OTP.

Enabling Software OTP Tokens

Enable software OTPs while creating a LoginTC domain or by editing an existing LoginTC domain settings:

  1. Log in to LoginTC Admin Panel
  2. Click Domains
  3. Click on your domain
  4. Click on Settings
  5. Scroll down to Software OTP Tokens and select Enabled Software Token Details
  6. Click Save

The next time your users open their LoginTC app the software OTP will begin to be displayed.

Using Software OTP Tokens

LoginTC App Requirements

LoginTC software OTPs require the following LoginTC App versions:

  • LoginTC Android 2.2.0+
  • LoginTC BlackBerry 2.2.0+
  • LoginTC iOS 2.2.0+
  • LoginTC Chrome 1.2.0+

If your device has an older version of the LoginTC App you may upgrade to the newest version from your platform’s app store.

Connecting to a VPN

When authenticating, a user enters their username normally. In the password field, they should should enter their password followed immediately by a comma and the One-Time Password (OTP) displayed on the LoginTC app. The OTP is valid for 30 seconds. An indicator beside the OTP informs the user how much time is left.

Regular input (without OTP):
username: john.doe
password: johnPassword
Input with OTP:
username: john.doe
password: johnPassword,253340

If the OTP is valid, the user will be authenticated without a request being sent to their 2nd factor device. If the OTP is invalid the user’s request will be denied.

Warning

There must not be any spaces between the password, the comma, and the OTP

Using OTPs with Challenge Authentication Mode (LoginTC RADIUS Connector)

The software OTPs work great with the Challenge Authentication Mode if you are using the LoginTC RADIUS Connector and if your RADIUS clients support it. When using the Challenge Authentication Mode, the user will be prompted to enter an OTP or press 1 to proceed with the standard LoginTC Push authentication.

Troubleshooting

If your users are having difficulty authenticating with OTPs, check the Logs page in the LoginTC RADIUS Connector web interface:

  1. Log in to your RADIUS connector web UI
  2. Click Logs

Software OTPs Not Enabled for Domain

If a user is trying to access a domain where software OTP token authentication is not enabled, you will find the following error message within their authentication attempt:

2016-08-04 13:40:25,163 - DEBUG - Checking for otp
2016-08-04 13:40:25,300 - DEBUG - otp are not enabled for this domain
2016-08-04 13:40:25,300 - CRITICAL - Invalid credentials for user john.doe

Exception: Invalid credentials for user john.doe

You can enable or disable software OTP token authentication for a domain from the LoginTC Administration Panel. Click here for more information

Invalid OTP

If a OTP is detected, you will find the following log messages associated with the user’s login attempt:

2016-08-04 17:17:31,568 - DEBUG - Checking for otp
2016-08-04 17:17:31,607 - DEBUG - otp enabled for this domain
2016-08-04 17:17:31,607 - DEBUG - Possible otp detected

2016-08-04 17:17:31,616 - DEBUG - Verifying otp for john.doe
2016-08-04 17:17:31,616 - DEBUG - Calling-Station-IP is null, not sending originating IP Address
2016-08-04 17:17:31,684 - CRITICAL - Invalid otp

APIException: Invalid otp

In this case, the user may be attempting to use a OTP that is either: - Not associated with the user - Out of Sync

You can check the state of a user’s otp through the LoginTC Admin Panel. Click here for more information on enabling software OTP tokens.