2. Workflows¶
2.1. Using mOTP token¶
LinOTP provides a self service interface that can be used by the user to register a new mOTP 31 token completely on his own. mOTP is a one time password algorithm. For this algorithm many different applications to run on mobile phones, smart phones and iPhone and iPad are available. Your Administration or IT department should have provided you the download link from where to install the mOTP application to your smartphone. In this workflow the MobileOTP.jar Java Midlet from http://motp.sourceforge.net is used.
2.1.1. Initializing the mOTP token¶
After installing the midlet to your phone, you need to initialize the application. Start the MobileOTP application.
The OTP token can be initialized by entering the PIN “0000”. This can be repeated at any time afterwards.
Now you need to put in 25 random numbers, that are used to create the init secret.
Now the init secret is displayed. You should not write this down and not show it to any other, since this is the very secret that is used to calculate the OTP values. This secret is only displayed once. As soon as you enter the PIN, the secret can not be displayed anymore.
2.1.2. Registering the mOTP Token¶
You now need to open the LinOTP selfservice portal. Open your web browser and go to the address that was given to you by your IT department. It should be something like: https://linotp.yourdomain.com/ Then you need to login to the selfservice portal.
Here you should login using the credentials. This will be probably your domain credentials. For more details consult your IT department.
When successfully logged in, you are presented this screen:
At the start no tokens will be displayed on the left hand side. On the right hand side, you need to enter the Init-Secret, that is displayed on your phone. Also enter an mOTP PIN, that you will enter into the MobileOTP application on your phone, each time you want to generate an OTP value. This mOTP PIN needs to be a 4 digit number.
When you press the button “register Token” your token data gets registered in the backend and assigned to your user. You will now see a token identifier on the left hand side.
You may now set an additional OTP PIN.
This OTP PIN a fixed password, that is entered in front of the OTP value, each time you will authenticate. The OTP PIN can be an alpha numerical value. For this click on “set OTP PIN” and click on the token identifier on the left hand side.
Press the Button “set PIN” and log out.
2.1.3. Authenticating using mOTP Token¶
Probably you will use the mOTP token to authenticate to a web site, a VPN connection or to a terminalserver.
When doing so, you need to:
- Enter your username into the login dialog username field
- Enter your OTP PIN (the alpha numerical value) into the login dialog password field
- Enter your mOTP PIN (the 4 digit number) into your MobileOTP application on your phone.
- Your phone will display a one time password.
- Now enter this one time password (0caa10) right behind the OTP PIN in the password field in the login dialog.
- Press a button like “login”.
2.2. Using eToken Pass¶
Your IT department might have handed you an eToken PASS or Safeword Alpine Token.
Probably your IT department already assigned this token to your user account. Then you will only need to turn to the self service portal, if
- you lost your token,
- forgot your PIN or want to change your PIN for some reason
- or need to resynchronize the token.
2.2.1. Disable lost token¶
If you lost your token or left it somewhere so that someone else might probably use your token, you should go to the self service portal to disable your token. Please note, that only an administrator can enable the token again!
Choose “Disable Token” and select the token from the left side. Press the button “disable Token”. Logging in with this token will not be possible until it gets enabled by an administrator.
2.2.2. Change OTP PIN¶
If you forgot your OTP PIN or if you think, that someone spied on you and knows your OTP PIN, you can go to the self service portal to reset your OTP PIN.
Select “set PIN” and choose the token of which you want to reset the OTP PIN from the left side. The serial number of the token will be displayed in the field “selected Token”. Enter a new OTP PIN two times and press the button “set PIN”.
2.2.3. Resynchronize token¶
As these tokens are event based tokens, you might get out of sync, if the button on a token is pressed to often without having authenticated successfully. In this case you can go to the self service portal to resynchronize your token.
Choose “resync Token” and select the token from the left side. Now you need to generate two successive OTP values with your token. Enter the first 6 digit OTP value in the field “OTP 1” and the second 6 digit OTP value in the field “OTP 2” and press the button “resync Token”.
2.2.4. Assign new token¶
If the IT department gave you a token without assigning it to you, you might go to the self service portal and assign it to your user.
If the token was not already assigned to you by the administrator, you need to flip the eToken PASS or Safeword Alpine token. On the backside you will find the serial number printed on a label. Choose “Assign Token” and enter this serial number in the field. After hitting the button “assign Token” this token will be assigned to you and appear on the left side in your token list.
2.3. Enrolling OATH Token or Google Authenticator¶
LinOTP also supports the Google Authenticator, that is available for Android phones and iPhones and the “OATH Token” for iPhones.
These tokens can be easily enrolled using the two dimensional QR code. Install the Google Authenticator or OATH Token via app store. In the selfservice portal either choose “Enroll OATH token” or “Enroll Google Authenticator”, click on enroll and use the camera of your phone to scan the QR code picture.