Digipass OTP administrative use-cases

• This article summarizes the configuration steps for two different administrative use-cases:
• Use Digipass OTP as the 2nd authentication factor.
• Changing from one Digipass OTP device to another (migration from an expiring to a new device).

• The Airlock IAM Adminapp must be preconfigured for Users and Tokens management.
• A Vasco OTP Device Activation step needs to be configured in a protected self-service of the Loginapp if unactivated devices are shipped to the end-user.

To use Digipass OTP as the 2nd factor in an authentication flow, the following configuration prerequisites must be fulfilled.

• Configuration prerequisites
• The Vasco OTP Token Manager must be configured. See Digipass OTP tokens in Users management menu (Adminapp).
• The Vasco OTP Token Controller must be configured. See Digipass OTP tokens in Users management menu (Adminapp).
• The authentication flow for the corresponding target application(s) must contain the Vasco OTP Authentication Step as the 2nd factor. It can either directly follow the first authentication step or it can be part of a selection of multiple 2nd factors.

To enable a user to log in with a Digipass OTP token, do the following.

1. Change to the Users menu of the Adminapp (may not be visible depending on the administrator's permissions).
2. Find the user and open the details by clicking on the user details.
3. Add Vasco OTP as New authentication method in the Authentication Methods tab.
4. A new Vasco OTP tab opens.
5. Assign a Digipass OTP device to the user account on the new tab by clicking on the Assign new device button. If no device is available in the list, import new devices in the Tokens menu (may not be visible depending on the administrator's permissions).
6. If required edit the validity period and synchronize the device (only necessary if you assume that the token may be out of sync).
7. Make sure that the device is in the intended state (active or inactive). Depending on the administrator's permission, this can be changed using the Enable / Disable button. If sending inactive devices to users, a corresponding activation self-service must be configured in the loginapp. See Digipass OTP device activation (protected self-service) for details.
8. Ship the device to the user. They may be supported by ordering a shipment letter in the device details (button Order new letter).
9. The user can now use the Digipass OTP device to log in. How it is checked during the login process depends on the configuration of the authentication flow.

Digipass OTP devices have a limited hardware lifetime of several years and in addition, a validity period of the devices (valid from/until) can be configured in Airlock IAM for each device in the Adminapp's Users section.

To allow uninterrupted OTP usage, a follow-up token can be defined in the Adminapp.

1. Change to the Users menu of the Adminapp (may not be visible depending on the administrator's permissions).
2. Find the user and open the details by clicking on the user details.
3. Change to the Users menu and select the corresponding user and open the Vasco OTP tab.
4. Assign a new device to the user.
5. The user account has now two (or more) Digipass OTP devices assigned. The old device is in status active, the new device is in status inactive.
6. On the active old Digipass OTP device, select the follow-up device in the drop-down Next device.
7. Ship the token to the user.


When configuring Valid from/until dates, i.e., for forced migration, make sure to inform the end-user about it.

8. When the end-user uses the new Digipass OTP device for the first time, the old device changes its status to inactive and the new device to active on the Vasco OTP tab in the user account.

• Digipass OTP tokens in Tokens management menu (Adminapp)
• Digipass OTP tokens in Users management menu (Adminapp)
• Digipass OTP device activation (protected self-service)