Set up an OATH-compliant mobile/desktop app as authentication method

In Digital Access Admin, go to Manage System.

Click OATH Configuration.

Under the heading Database Connectivity, click Manage OATH Providers. Here you see the pre-defined providers (HOTP - event based one time password and TOTP - time based one time password). You cannot edit the pre-defined providers, only the new ones that you add. The SHA256 and SHA512 are different used algorithms.

• Nexus Smart ID Mobile supports SHA256 and SHA512 with iOS and Android.

• Nexus Smart ID Mobile also supports fingerprint authentication and face recognition (on iOS).

Click Manage System > Authentication Methods > Add Authentication Method...

Select Nexus OATH and click Next.

Enter a Display Name. Check Enable authentication method and Visible in authentication menu.

Select a pre-defined provider from the OATH Provider drop-down list, for example, for Google Authenticator with HOTP select Predefined_Hotp_HmacSHA1.
The email sent to the user can be configured to mention what OATH-compliant app that shall be used, for example, Google Authenticator. For more information about how to change email messages, go here: Change provisioning messages in Digital Access.

Select if you want to use Two Factor Authentication and if so, if you want to use one or two fields for entering password and OTP.

• One screen: Password and OTP are entered in the same screen. In case of Active directory users, the OTP will be validated first and if the OTP is valid, the password will be validated. This avoids the AD account from easily getting locked.

• Two screens: Separate input fields are used, one to enter <password> and one to enter <otp>.

Click Add Authentication Method Server... and make any settings.

Click Next.

Click Next until the Wizard is finished.

Click Finish.

Click Publish.

In Digital Access Admin, go to Manage Accounts and Storage.

Click User Accounts. Search for the user that you shall enable Google Authenticator for, or add a new user account, see Add user account in Digital Access.

If you are updating an existing user account, click Edit User Account and select the Authentication tab.

Select Enable OATH for the user account.

Under Notification Settings, enter email address or SMS (how you want to send the notification). If an Active Directory is connected, the information is added automatically from the user id in the Active Directory. If not, enter the values manually.

Click Next.

The Token ID field is out-grayed since this is not a hardware token.

Select Provider from the drop-down list and select Status active. Select a predefined provider where an authentication method exists.

If you have chosen Two Factor Authentication, enter a password that the user shall use and check any password properties.

Select Notification: By screen, by sms, by email and so on.

Click Next and Finish Wizard.

1. The text in green is "Notification by screen".

2. The email that is sent to the user contains a QR code. The user shall download the OATH-compliant app and use the app to scan the code. In case of Smart ID desktop app, the user need to enter the activation URL instead of scanning QR code.

In Digital Access Admin, go to Manage Accounts and Storage.

Click Self Service and select the OATH Profile Provisioning tab.

Check Enable OATH Profile Self Service Provisioning.

Enable the Notification Channels: email, SMS, QR code.

You can customize the notification message. To see all options for the message, click the ?-sign. Change "OATH Authentication" in the mail message to a text that informs the user about the method to use, what app to download and other relevant information.

Click Save.

Click Publish.

In Digital Access Admin, go to Manage Accounts and Storage.

Click User Accounts. Search for the user that shall be able to use self-service, or add a new user account, see Add user account in Digital Access.

If you are updating an existing user account, click Edit User Account and select the Authentication tab.

Check Enable Nexus OATH for the user account. Also check, for example, Enable Password for the user account.
To use OATH for authentication, the user needs the authentication method Nexus OATH to be enabled. For self-provisioning, the user is required to authenticate with another method, like Password. For this reason, the corresponding method (for example, Password) must be enabled for this user as well.

Under Notification, provide email address and SMS. If an Active Directory is connected, the information is added automatically from the user id in the Active Directory. If not, enter the values manually.

Click Next. This step assumes that password has been selected in step 4 as the second authentication method. The password that the user shall provide comes from the Active Directory. If no AD, enter a password for the user to use. Also check any password properties.

For OATH, do not add a token because the user shall do that as self service registration.

Select Notification, for example, select by screen and by email.

Click Next.

Click Finish Wizard.
The text in green is "Notification by screen". Note the line containing the user's password.

Next time when the user logs in to Digital Access, there is a "New Device?" link available.

The user shall then first authenticate with the enabled method, for example, password. The user has received an email regarding this.

The user then clicks Confirm to create a new profile.

Depending on the settings, an email regarding OATH profile provisioning is sent to the user and a QR code is also presented, could be either of these or both. The user uses, for example, Google Authenticator to scan the code.

The user then clicks Activate in the app and registers a PIN code and, if applicable, a fingerprint.