2. Workflows

2.1. Using mOTP token

LinOTP provides a self service interface that can be used by the user to register a new mOTP 31 token completely on his own. mOTP is a one time password algorithm. For this algorithm many different applications to run on mobile phones, smart phones and iPhone and iPad are available. Your Administration or IT department should have provided you the download link from where to install the mOTP application to your smartphone. In this workflow the MobileOTP.jar Java Midlet from http://motp.sourceforge.net is used.

2.1.1. Initializing the mOTP token

After installing the midlet to your phone, you need to initialize the application. Start the MobileOTP application.

../_images/motp-icon.png

The icon to start the application on your phone.

The OTP token can be initialized by entering the PIN “0000”. This can be repeated at any time afterwards.

../_images/motp-init1.png

By entering the PIN ‘0000’ the token can be initialized any time.

Now you need to put in 25 random numbers, that are used to create the init secret.

Now the init secret is displayed. You should not write this down and not show it to any other, since this is the very secret that is used to calculate the OTP values. This secret is only displayed once. As soon as you enter the PIN, the secret can not be displayed anymore.

../_images/motp-init2.png

The init-secret is only displayed once.

2.1.2. Registering the mOTP Token

You now need to open the LinOTP selfservice portal. Open your web browser and go to the address that was given to you by your IT department. It should be something like: https://linotp.yourdomain.com/ Then you need to login to the selfservice portal.

../_images/selfservice1.png

LinOTP selfservice portal login screen.

Here you should login using the credentials. This will be probably your domain credentials. For more details consult your IT department.

When successfully logged in, you are presented this screen:

../_images/selfservice2.png

LinOTP selfservice portal registering screen.

At the start no tokens will be displayed on the left hand side. On the right hand side, you need to enter the Init-Secret, that is displayed on your phone. Also enter an mOTP PIN, that you will enter into the MobileOTP application on your phone, each time you want to generate an OTP value. This mOTP PIN needs to be a 4 digit number.

When you press the button “register Token” your token data gets registered in the backend and assigned to your user. You will now see a token identifier on the left hand side.

../_images/selfservice4.png

A token is assigned to the user.

You may now set an additional OTP PIN.

This OTP PIN a fixed password, that is entered in front of the OTP value, each time you will authenticate. The OTP PIN can be an alpha numerical value. For this click on “set OTP PIN” and click on the token identifier on the left hand side.

../_images/selfservice5.png

Setting the OTP PIN for a token.

Press the Button “set PIN” and log out.

2.1.3. Authenticating using mOTP Token

Probably you will use the mOTP token to authenticate to a web site, a VPN connection or to a terminalserver.

When doing so, you need to:

  1. Enter your username into the login dialog username field
  2. Enter your OTP PIN (the alpha numerical value) into the login dialog password field
  3. Enter your mOTP PIN (the 4 digit number) into your MobileOTP application on your phone.
  4. Your phone will display a one time password.
  5. Now enter this one time password (0caa10) right behind the OTP PIN in the password field in the login dialog.
  6. Press a button like “login”.
../_images/motp-auth.png

Generated One Time Password.

2.2. Using eToken Pass

Your IT department might have handed you an eToken PASS or Safeword Alpine Token.

Probably your IT department already assigned this token to your user account. Then you will only need to turn to the self service portal, if

  • you lost your token,
  • forgot your PIN or want to change your PIN for some reason
  • or need to resynchronize the token.
../_images/etpass.png
../_images/safeword.png

2.2.1. Disable lost token

If you lost your token or left it somewhere so that someone else might probably use your token, you should go to the self service portal to disable your token. Please note, that only an administrator can enable the token again!

../_images/disable.png

Disabling a lost token.

Choose “Disable Token” and select the token from the left side. Press the button “disable Token”. Logging in with this token will not be possible until it gets enabled by an administrator.

2.2.2. Change OTP PIN

If you forgot your OTP PIN or if you think, that someone spied on you and knows your OTP PIN, you can go to the self service portal to reset your OTP PIN.

../_images/otppin.png

Reset OTP PIN.

Select “set PIN” and choose the token of which you want to reset the OTP PIN from the left side. The serial number of the token will be displayed in the field “selected Token”. Enter a new OTP PIN two times and press the button “set PIN”.

2.2.3. Resynchronize token

As these tokens are event based tokens, you might get out of sync, if the button on a token is pressed to often without having authenticated successfully. In this case you can go to the self service portal to resynchronize your token.

../_images/resync.png

Resynchronizing an eToken PASS.

Choose “resync Token” and select the token from the left side. Now you need to generate two successive OTP values with your token. Enter the first 6 digit OTP value in the field “OTP 1” and the second 6 digit OTP value in the field “OTP 2” and press the button “resync Token”.

2.2.4. Assign new token

If the IT department gave you a token without assigning it to you, you might go to the self service portal and assign it to your user.

../_images/assign1.png

Assign a new token.

If the token was not already assigned to you by the administrator, you need to flip the eToken PASS or Safeword Alpine token. On the backside you will find the serial number printed on a label. Choose “Assign Token” and enter this serial number in the field. After hitting the button “assign Token” this token will be assigned to you and appear on the left side in your token list.

2.3. Enrolling OATH Token or Google Authenticator

LinOTP also supports the Google Authenticator, that is available for Android phones and iPhones and the “OATH Token” for iPhones.

These tokens can be easily enrolled using the two dimensional QR code. Install the Google Authenticator or OATH Token via app store. In the selfservice portal either choose “Enroll OATH token” or “Enroll Google Authenticator”, click on enroll and use the camera of your phone to scan the QR code picture.