1. Home
  2. Docs
  3. MFA Client Guide
  4. Credential Manager
  5. One-Time Password credential

One-Time Password credential

A One-Time Password (OTP) credential uses an automatically generated time-sensitive numeric code for authentication.

The OTP credential can be used for authentication at Windows logon and within a Windows session as defined by the Logon or Session Policy in force, as well as for DigitalPersona Password Manager trained applications, websites or network resources and SAML-compliant portals such as Office 365.

A QR Code scanner app on your device will greatly simplify the enrollment process by automating the entry of required account information, but is not required as manual entry of the information is also possible.

The verification code may be generated in one of the following ways.

  • Authenticator app – A software token is generated by a special Authenticator app on a user’s mobile device, and the resulting time-sensitive code is used for authentication.
  • OTP Push Notification – A software token is generated by DigitalPersona and sent to a mobile device where the user can Accept or Deny its use for authentication. This features is only available through the DigitalPersona authentication app. Although generation of the OTP is supported in third party authentication apps, Push Notification is only available through the DigitalPersona app.
  • OTP via SMS – A software token is generated by DigitalPersona, and a time-sensitive code that can be used for authentication is sent to a mobile device through SMS.
  • Hardware token – A dedicated hardware device generates a time-sensitive code used for authentication. The hardware token must be an OATH-compliant TOTP (Time-based One-Time Password) device.

OTP Enrollment

The steps in the enrollment of an OTP credential differ slightly based on the type of OTP credential described above.

Authenticator app and Push Notification

Enrollment of an OTP credential to be used with an authenticator app will also automatically include the ability to make use of OTP Push Notification, but only if the DigitalPersona administrator has installed and configured the Push Notifications Server. Also, the associated OTP GPO setting must be enabled and configured by a DigitalPersona administrator.

However, during enrollment, you may choose not to use OTP Push Notification by selecting Decline on the Push Authentication page. If both the authenticator app and OTP Push Notification are enrolled, you can use either one for authentication.

image dpclient23 One Time Password credential

The steps to enrolling a software-based OTP token to be used with an authenticator app or OTP Push Notification are:

image dpclient24 One Time Password credential

  • Download an authentication app.
  • Setup a DigitalPersona account on your device.
  • Sign in to the DigitalPersona app
  • Enroll the credential in the DigitalPersona Console

Download an authenticator app

  1. From the DigitalPersona Console, click Credential Manager, and then click the One-Time Password tile.
  2. On the One-Time Password page, select Software token as the token type if it is not already selected. (It is the default.)
  3. Click the Download phone app link to display a dialog where you can download and install the authenticator app for your device.
  4. Select your device’s app store, and then scan the QR code provided or click the corresponding Download link.The DigitalPersona app is currently available in the Apple Store and on Google Play. For the Windows and Blackberry mobile platforms, the Microsoft and Google Authenticator apps provide nearly identical functionality, although setup and enrollment steps may vary slightly.
  5. Scanning the QR code with a QR Code scanner app on your device is the simplest procedure. It will automatically open your device’s default web browser and display the product page for the selected authentication app so that you can download and install the app.
  6. Clicking the Download link will open the selected app store in your computer’s default browser. Some app stores may require signing in and/or downloading the app and copying it to your device.The instructions that follow are for the DigitalPersona app as installed on an iPhone. Instructions for the use of other authentication apps and devices may differ slightly.

Set up a DigitalPersona account on your device

  1. Launch the authentication app on your device. The first time the app is launched, the Register screen displays. Click OK to allow DigitalPersona Mobile to send you notifications. Then click Register.
  2. Enter and verify a six-digit passcode.
    image dpcredential11 One Time Password credential image dpcredential12 One Time Password credential image dpcredential13 One Time Password credential image dpcredential14 One Time Password credential
  3. On the Diagnostic and Usage page, accept the defaults or tap an option to deselect it.
    image dpcredential15 One Time Password credential image dpcredential16 One Time Password credential
  4. On the Accounts screen, click the Camera icon. You will be asked for permission to access your device’s camera. Tap OK if you want to use the camera to scan the QR Code for automatically creating your DigitalPersona Mobile account. If you click Don’t Allow, you will need to enter the account information manually.
  5. You can create the required account on your device automatically by scanning the QR Code on the One-Time Password page, or by entering the account data manually.
  6. Automatic account creation
    • On the Scan QR Code screen, scan the QR code that displays on the One-Time Password Page. Do not scan the same QR code again from the dialog that has the app stores on it which was used to download the app.
    • If the Push Authentication Server has been previously setup by your DigitalPersona Administrator, Push Authentication will be automatically enabled for your device once you choose to Accept the associated Privacy Policy. If you choose to Decline the Privacy Policy, Push Authentication will not be enabled.
      image dpcredential18 One Time Password credentialimage dpclient27 One Time Password credential
      image dpcredential19 One Time Password credential
    • Once the account information is displayed, tap Save. The DigitalPersona Mobile account will be created and the Accounts screen displayed with the new account and your first One-Time Password shown.
      image dpcredential20 One Time Password credential image dpcredential21 One Time Password credential
  7. Manual account creation
    • On your computer, from the One-Time Password page, locate the account information that needs to be entered on your device by selecting Can’t scan on the main One-Time Password page (see image below). A dialog displays your account information.
      image dpclient25 One Time Password credential
      image dpclient26 One Time Password credential
    • On your device, from the Scan QR Code screen, select Enter Account Manually to display the Account screen.
    • Enter the account information from the One Time Password page (on your computer) into the associated fields on your device. Then tap Save.
      image dpcredential18 One Time Password credential  image dpcredential20 One Time Password credential  image dpcredential19 One Time Password credential
    • If the Push Authentication Server has been previously set up by your DigitalPersona Administrator, Push Authentication will be automatically enabled for your device once you choose to Accept the associated Privacy Policy. If you choose to Decline the Privacy Policy, Push Authentication will not be enabled.

Sign in to the DigitalPersona Mobile app

Once you have registered as described in the previous pages, you can sign in to the app as follows.

  1. Launch the DigitalPersona Mobile app.
    image dpcredential25 One Time Password credential  image dpcredential26 One Time Password credential   image dpclient27 One Time Password credential
  2. Sign In.
    • Fingerprint enabled devices – You can enable fingerprint authentication to the DigitalPersona Mobile app by selecting Enable Touch ID on the Sign In screen or later in the DigitalPersona Mobile Settings. Then touch the fingerprint sensor to sign in.
    • Non-fingerprint enabled devices – Tap Sign In and then enter your six-digit DigitalPersona Mobile passcode.

Enroll the OTP credential

  1. On your computer, open the One-Time Password page.
  2. On your device, sign in to the DigitalPersona Mobile app.
  3. On your computer, enter the six-digit verification code displayed in the app and click Save.

OTP for SMS delivery

On the Credential Manager, One-Time Password page, you can
enroll an OTP credential that will transparently generate a time-sensitive code that is sent to your mobile device and display a notification asking you to Allow or Deny its use for authentication.

Enrollment of the SMS delivery feature requires that a DigitalPersona administrator has previously created a Nexmo (https://www.nexmo.com) account and entered Nexmo account information into the OTP setting on the DigitalPersona Server.

image dpclient29 One Time Password credential

To enroll the OTP via SMS credential

  1. On the One-Time Password page, click the Get One-Time Password via SMS link.
  2. Enter the number for the mobile device that you would like to enroll in order to receive a One-Time Password through SMS delivery.
  3. Click Send.
  4. You will receive an SMS message on your mobile device containing a six-digit verification code.
  5. On your computer, enter the verification code into the Type verification code from the phone field.
  6. The Credential Manager page will re-display and the One-Time Password tile will now show the Change caption, indicating that a One-Time Password credential has been enrolled.

OTP hardware token

On the Credential Manager, One-Time Password page, you can enroll a hardware token as a DigitalPersona credential. The hardware device can then be used to generate a code for authentication. Note that hardware tokens must be OATH compliant TOTP (Time-based One-Time Password) devices.

image dpclient30 One Time Password credential

Enroll an OTP credential using a hardware token

  1. From the DigitalPersona Console, click Credential Manager, click the One-Time Password tile and, from the
    Select token type dropdown list, select Hardware token.
  2. Enter the serial number for your hardware token, which is usually found on the back of the device. Note that a vendor supplied file associated with a specific set of hardware tokens must have been previously imported to the DigitalPersona Server before the hardware token can be enrolled.
  3. Enter the verification code displayed on your device and click Save.

Authentication with a One-Time Password

To authenticate with your One-Time Password

  1. Do one of the following, depending on where you are authenticating from.
    • At Windows logon, select Sign-in options and then select the One-Time Password (or OTP) tile to display One- Time Password options.
    • On any Verify your Identity screen, select the One-Time Password (or OTP) tile.
      image dpclient30 1 One Time Password credential image dpclient30 2 One Time Password credential image dpclient30 3 One Time Password credential
  2. You can use an OTP credential in any of the following ways.
    • Select Send push notification to send a notification to your enrolled mobile device allowing you to Approve or Deny authentication.
    • Select Send SMS with OTP code to send an SMS message to your enrolled mobile device with a verification code that you can enter on your computer for authentication.
    • Launch your previously registered authentication app on your mobile device and enter the resulting verification code into the entry field on your computer.
    • Activate the display on an enrolled hardware token, and enter the displayed verification code on your computer.
  3. In most cases, enter your One Time Password into the One-Time Password field on your workstation screen and select the arrow button. When using push notification, you do not need to enter the code on your computer, as tapping Approve or Deny on your mobile device automatically authenticates to your computer.
  4. Note that the OTP displayed in the authentication app changes every 30 seconds and the code on a hardware token device generally changes every 30 to 60 seconds, depending on the manufacturer and any optional configuration by your administrator.

To change your OTP credential

  1. Once the credential has been enrolled, the word CHANGE will display beneath the OTP tile.
  2. On the Credential Manager page, click CHANGE.
  3. Confirm that you want to delete the current OTP credential and enroll a new credential.
  4. Enroll the new OTP credential.

To delete your OTP credential

  1. On the One-Time Password page, click Delete Credential.
  2. Confirm that you want to delete the credential.