Two-factor OATH authentication with Google Authenticator

Google Authenticator generates verification code as a dynamic component to increase account security.

In order to configure OATH as an active authentication method for a user, follow the steps:

1. Select Management > Users.
2. Find and click the user for whom you want to add the OATH authentication method.
3. Scroll down to the Authentication section.
4. From the Type drop-down list, select OATH.
5. Choose the first factor: Password or External authentication.
6. If Password is chosen, enter password’s static part. If External authentication, select External authentication source.
7. From the Token type field, select TOTP (time-based) or HOTP (counter-based).
8. Enter a secret that will be used by Google Authenticator. Note, that the secret must be a Base32 encoded value. Alternatively, click the cog icon to generate it automatically. Click to show the QR code.
9. Provide the Token length and Time step if selected Token type is TOTP (time-based).

📘

The Initialized option serves for the user’s initialization via the QR code. When their static password as a First factor setting is filled or External authentication source if configured, the QR code is displayed during their first connection. After successful first authentication the Initialized option becomes checked and takes uneditable state.

10. Click Save.
11. Launch Google Authenticator and add new service. Configure it manually, or use the QR code:

for Manual entry:

• Select Enter a provided key.
• Enter account name.
• Enter the secret defined in OATH authentication method.
• Select Token type.
• Select ADD.

with QR code:

• Click the QR-code icon on the user configuration form, next to the Secret field in the Authentication section.
• Select Scan a barcode in Google Authenticator.

12. When logging in, the password string consists of a static password defined in the authentication method and dynamic part generated by the Google Authenticator, e.g. password481418.