Skip to main content
Skip table of contents

Set up Secure activation for OATH

This article includes updates for Digital Access 6.5.0.

This article describes how to set up Secure activation for OATH authentication method. For a single instance of DA, OATH authentication can either be Secure or General. It is not possible to have both types in same DA.

Secure activation for OATH is applicable only for single factor OATH authentication.

The activation in this case will be done online with the dskpp protocol where the server checks and validates the user using the activation link and Activation PIN. The user is required to set an Activation PIN to make sure they are the ones enabling the profile in the client device. The same activation PIN needs to be entered in the client device while activating the profile. 

Step-by-step instruction 

Add Smart ID mobile/desktop app as authentication method
  1. In Digital Access Admin, go to Manage System.

  2. Click Authentication servicesSeed Provisioning through DSKPP → Check Enable Seed Provisioning.

  3. Click OATH Configuration.

  4. Under the heading Database Connectivity, click Manage OATH Providers. Here you see the pre-defined providers (HOTP - event based one time password and TOTP - time based one time password). You cannot edit the pre-defined providers, only the new ones that you add. The SHA256 and SHA512 are different used algorithms.

    • Nexus Smart ID Mobile supports SHA256 and SHA512 with iOS and Android.

    • Nexus Smart ID Mobile also supports fingerprint authentication and face recognition (on iOS).

  5. Click Manage System > Authentication Methods > Add Authentication Method...

  6. Select Nexus OATH and click Next.

  7. Enter a Display Name. Check Enable authentication method and Visible in authentication menu.

  8. Select a pre-defined provider from the OATH Provider drop-down list, for example, for Google Authenticator with HOTP select Predefined_Hotp_HmacSHA256.
    The email sent to the user can be configured to mention what OATH-compliant app that shall be used, for example, Google Authenticator. For more information about how to change email messages, go here: Change provisioning messages in Digital Access.

  9. Click Add Authentication Method Server... and make the settings.

  10. Click Next.

  11. Click Next until the Wizard is finished.

  12. Click Finish.

  13. Click Publish.


Enable Secure OATH setting
  1. In Digital Access Admin, go to Authentication Service → Manage Global Authentication Service Settings.

  2. Click Password/PIN settings. Under Portwise OATH, check the 'Enable secure activation' checkbox and configure the Activation Code related properties as required.

  3. Configuration changes in Email messages and SMS/Screen messages tab and in Self Service → OATH Profile Provisioning
    Change the OATH Provisioning URL Scheme to 'com.nexusgroup.dskpp'.

  4. Select Enable OATH for the user account.


Enable the Smart ID app for an end user for secure activation
  1. In Digital Access Admin, go to Manage Accounts and Storage.

  2. Click User Accounts. Search for the user that you shall enable Google Authenticator for, or add a new user account, see Add user account in Digital Access.

  3. If you are updating an existing user account, click Edit User Account and select the Authentication tab.

  4. Select Enable OATH for the user account.

  5. Under Notification Settings, enter email address or SMS (how you want to send the notification). If an Active Directory is connected, the information is added automatically from the user id in the Active Directory. If not, enter the values manually.

  6. Click Next.

  7. The Token ID field is out-grayed since this is not a hardware token.

  8. Select Provider from the drop-down list and select Status active. Select a predefined provider where an authentication method exists.

  9. The admin user needs to set the Activation PIN for the user or check the 'Generate PIN' checkbox to generate and assign a random 6 - digit PIN. This Activation PIN will be sent to the user through the configured notification channel.

  10. Select Notification: By screen, by SMS, by email and so on.

  11. Click Next and Finish Wizard.

    1. The text in green is "Notification by screen".

    2. The email that is sent to the user contains a QR code. The user shall download the OATH-compliant app and use the app to scan the code. In case of Smart ID desktop app, the user need to enter the activation URL instead of scanning QR code.


Enable Smart ID app self service registration
  1. In Digital Access Admin, go to Manage Accounts and Storage.

  2. Click Self Service and select the OATH Profile Provisioning tab.

  3. Check Enable OATH Profile Self Service Provisioning.

  4. Enable the Notification Channels: email, SMS, QR code.

  5. You can customize the notification message. To see all options for the message, click the ?-sign. Change "OATH Authentication" in the mail message to a text that informs the user about the method to use, what app to download and other relevant information.

  6. Click Save.

  7. Click Publish.


Set up user account to be able to use self-service
  1. In Digital Access Admin, go to Manage Accounts and Storage.

  2. Click User Accounts. Search for the user that shall be able to use self-service, or add a new user account, see Add user account in Digital Access.

  3. If you are updating an existing user account, click Edit User Account and select the Authentication tab.

  4. Check Enable Nexus OATH for the user account. Also check, for example, Enable Password for the user account.
    To use OATH for authentication, the user needs the authentication method Nexus OATH to be enabled. For self-provisioning, the user is required to authenticate with another method, like Password. For this reason, the corresponding method (for example, Password) must be enabled for this user as well. The user will be asked to set the Activation PIN when provisioning through Access point.

  5. Under Notification, provide email address and sms. If an Active Directory is connected, the information is added automatically from the user id in the Active Directory. If not, enter the values manually.

  6. In case of self service registration, the user is expected to remember the Activation PIN entered on the access-point page while doing the activation process. No notification email/ SMS will be sent for the Activation PIN to the user.

  7. Click Next. This step assumes that password has been selected in step 4 as the second authentication method. The password that the user shall provide comes from the Active Directory. If no AD, enter a password for the user to use. Also check any password properties.

  8. For OATH, do not add a token because the user shall do that as self service registration.

  9. Select Notification, for example, select by screen and by email.

  10. Click Next.

  11. Click Finish Wizard.
    The text in green is "Notification by screen". Note the line containing the user's password.


Register a new device
  1. Next time when the user logs in to Digital Access, there is a "New Device?" link available.

  2. The user shall then first authenticate with the enabled method, for example, password. The user has received an email regarding this.

  3. The user then clicks Confirm to create a new profile.

  4. Depending on the settings, an email regarding OATH profile provisioning is sent to the user and a QR code is also presented, could be either of these or both. The user uses, for example, Google Authenticator to scan the code.

  5. The user will have to enter an Activation PIN that the user configured while self-service registration or through admin UI.

  6. The user then clicks Activate in the app and registers a PIN code and, if applicable, a fingerprint.

Related information



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.