I have a customer in South Africa that is very interested in the functionality provided by the Desktop OTP tool but, AS IS, the Desktop OTP tool poses critical challenges in the enterprise environment namely Roll out strategy, security in shaded workstations (staff that work in shifts), application updates and potential down time for the user that is trying to authenticate.
The application needs to operate in an environment where multiple users share the same PC (work shifts) and where a user can use multiple PCs during the course of a typical business day (session based, in other words, the user should have to authenticate to be able to see the OTP sequence similar to the way the NetIQ Advanced Authentication mobile app operates with the PIN/Bio-metric protection).

The idea would be to take the functionality of the Desktop OTP app and present it as an additional portal and method (the "Web TOTP" method) in AAF. Essentially the portal would display OTP sequences for the authenticated user.
This would address the use case when users forget/do not have access to their enrolled mobile devices.
Contrary to the current Desktop OTP, it would be seen as a separate method to the TOTP, i.e.: Web TOTP. By being a separate method, the user can be enrolled for this method as well as for TOTP/Smartphone and similar to the Emergency PIN, the "Web TOTP" should have the option of temporary access (configurable).

Additional requirements
- Additional Roles
Creation of a new administrative role (E.g.: Emergency Enroller) and the main function is to be able
to enroll users from (and for) the Web TOTP portal. This is required because user population might not
belong to the current ENROLL ADMINS, FULL ADMINS or SHAREAUTH ADMINS roles.
This administrator should only be allowed to access the Web TOTP portal and perform an enrollment.

- Enrollment
A) The Desktop TOTP application to be replaced with a Web TOTP portal. However, the enrollment process
should be similar to the helpdesk portal. This is to allow the “Emergency Enroller” officers to search for the user and enroll the user profile.
The current Helpdesk portal use cases for this particular customer require an authentication factor to enroll the user ( the “Ask for the credentials of the managed user” in the helpdesk policy is set to ON) so in a situation where the user is far (VPN users) or forgot the enrolled mobile device at home, the requirement to have this policy ON is would represent a challenge IF enrollment for the Web TOTP is done via the current Helpdesk portal.

B) The "Emergency Enroller" must share a random PIN (maybe have a button "Send pin" via email) with the user once enrollment has been completed. Similar to the Emergency Pin, only the administrator (user with the “Emergency Enroller” role) can enroll the normal user for this method (Web TOTP) and only for a period of time (configurable centrally via a policy, similar to the Emergency Pin method). This enrollment should only be possible via the Web TOTP portal where the “Emergency Enroller” searches for the user and can only enroll for Web TOTP.

- Functionality
1. When a user accesses the Web TOTP portal, he/she must authenticate using their username and password and PIN. Successful authentication will result in the user being registered for Web TOTP for the remainder of the time that the Web TOTP is configured to be available for the user profile.

2. After logging in, the user’s username must not be displayed – only the TOTP (and the time before it will be refreshed) must be displayed.

3. After a configurable period of inactivity, the session to the portal should be terminated automatically.

4. Should the time for the Web TOTP method elapse, the user must request to be enrolled again.

These are just some of the requirements presented by the client. The technical team has room to decide how best address the technical aspects/dependencies.

by: Bruno U. | over a year ago | Configuration