Using OTPs to Authenticate

You can use a one-time-passcode (OTP) to log in to the Admin Portal. You use a third party authenticator (like Google Authenticator) or the Cloud Client application to scan a Privileged Access Service generated QR code and configure the OTP. IBM Security supports any authenticator app that support the OATH TOTP standard. Refer to https://openauthentication.org/about-oath/ for more information.

If an internet connection is not available, you can also use an offline OTP to log in to the Admin Portal. Users must log in first in online mode before an offline OTP profile is created.

Important: Your system administrator must enable these features before you can use them.

To setup a OTP

  1. Log in to theAdmin Portal and navigate to Access > Policies.

  2. Click on the policy you want to use for OAUTH OTP.

  3. Click on User Security > User Account Settings.

  4. Set Enable users to configure an OAUTH OTP policy to Yes.

  5. Click Security > OATH OTP Client.

    The QR code displays.

  6. Use a third party authenticator application or the Cloud Client application on your device to scan the QR code.

  7. A passcode is displayed on the third party authenticator application and on the Passcodes page of the IBM Security application.

    You can now enter the passcode to log in to Privileged Access Service. This authentication works across tenants. On the Passcodes page of theIBM Security application, you can tap the relevant code to silently send that code and authenticate for the relevant user/endpoint.

To setup an Offline OTP from the Admin Portal

  1. Log in to theAdmin Portal > Profile.

  2. Click Passcodes, then select Offline OTP Client.

  3. Click Actions > Setup Offline OTP.

    The QR code displays.

  4. Use a third party authenticator application or the Cloud Client application on your device to scan the QR code.

    A passcode is displayed on the third party authenticator application and on the Passcodes page of the IBM Security application.

  5. Enter the verification code generated by the authenticator app, then click Verify.

    You can now enter the passcode to log in to Privileged Access Service when your device is offline.

    On the Passcodes page of the IBM Security mobile application, you can tap the relevant code to silently send that code and authenticate for the relevant user/endpoint.

To resynchronize a OTP

If your OTP fails, you might need to resynchronize your OTP with the Privileged Access Service.

  1. Log in to the Admin Portal > Profile.

  2. Click Passcodes, then select the passcode that you need to resync.

  3. Click Actions > Resynchronize.

  4. Follow the directions in the Resynchronize OATH Token window, then click Submit.