Integrating OATH-based one-time passcode auth journeys
PingOne Advanced Identity Cloud PingAM Android iOS
The OATH module supports one-time password (OTP) authentication as defined in the OATH standard protocols.
HMAC-based one-time passwords (HOTP)
As described in RFC 4226, HOTP authentication generates the one-time password (OTP) every time the user requests a new password on their device.
The device tracks the number of times the user requests a new one-time password with a counter. The user may be further in the counter on their device than the server.
Your server resynchronizes the counter when the user finally logs in. To accommodate this, you set the number of passwords a user can generate before their device can’t be resynchronized.
For example, if you set the HOTP Window Size to 50 and someone presses the button 30 times to generate a new password, the counter in your server will review the passwords until it reaches the one-time password entered by the user.
If, however, someone presses the button 51 times, you will need to reset the counter to match the number on the device’s counter before the user can log in.
HOTP authentication doesn’t check earlier passwords, so if the user attempts to reset the counter on their device, they won’t be able to log in until you reset the counter on the server to match their device.
Time-based one-time passwords (TOTP)
As described in (RFC 6238), TOTP authentication constantly generates a new one-time password based on a time interval you specify.
The TOTP Time Step Interval setting configures how often the client should generate a new password.
Use the TOTP Time Steps setting to provide a margin in case the time varies between your server and the client device. For example, set this to 1 to accept either the previous, the current, or the next password as valid.