Airlock IAM supports authentication with software- and hardware-based OATH OTP one-time codes. OATH is a standard supported by many mobile apps and hardware tokens. There are two types of OTP generation algorithms:
It can be used with many freely available smartphone apps.
The following mobile apps are "known to work" with Airlock IAM. The mobile apps have been tested with Airlock IAM but are not continuously testet with every release.
Airlock and Ergon are not responsible for the security or proper functioning of apps.
To get more information about all configuration options, please consult the Config Editor documentation of plugin OATH OTP Settings.
The following limitations apply when using OATH OTP in Airlock IAM:
Airlock 2FA also offers OTP-based authentication plus much more features. See Airlock 2FA as the second factor with IAM.
To enroll an OTP app on a smartphone, the seed (shared secret) of a user's OTP token needs to be transported from IAM to the app.
The seed (shared secret) can be displayed in the IAM Adminapp either as QR-code or in various other formats (HEX, base-64):
Access control hint
The seed (shared secret) shown in the Adminapp is very sensitive information. It requires specific access rights in the Adminapp's access controller configuration.
To display the seed or QR-code in the Adminapp (or access them using the Adminapp REST API ) the access rights must be set up as shown in the following example.
The IAM task OATH OTP Letter Task generates letters (usually PDFs) containing the QR-code needed to enroll a mobile app. The letter can be ordered in the Adminapp (or using the Adminapp REST API).
When providing texts for OATH OTP QR-code letter templates, make sure the end-user understands, that the QR-code is a sensitive piece of information that can be used to enroll multiple apps.
Having access to the QR-code letter is equivalent to having the ability to enroll the token on any smartphone. The letter should either be safely stored or destroyed after usage.