2. Enabling TOTP authentication in the Configuration Settings document

Enable TOTP on Domino® servers through a Configuration Settings document.


  1. From the Domino® Administrator, click the Configuration tab and then expand the Messaging section.
  2. Choose Configurations.
  3. Click Add Configuration to create a new Configuration Settings document. Or, select an existing one and click Edit Configuration.
  4. Click the Security tab.
  5. Complete the following fields in the Multi Factor Authentication section.
    Time-based one-time passwords (TOTP) for web authentication Select Enable.
    Allow emergency scratch codes Select Yes (default) to allow users to provide one of ten scratch codes rather than a TOTP token. This option is useful for allowing users to log in if their TOTP application is unavailable, for example, if they lose a device that runs it.

    Users are shown the scratch codes right after they set up TOTP successfully. After a scratch code is used, it can't be used again.

    Email scratch codes to a user If you allow emergency scratch codes, select Yes to send an encrypted email containing the scratch codes to a user when they initially set up TOTP or if their configuration is reset and they set it up again. Users also copy the scratch codes right during setup.
    Maximum number of secrets The number of TOTP URIs (accounts) that each user can set up to access a Domino server: 1, 2, or 3 (default). More than one TOTP URI might be useful if the TOTP application runs on multiple devices.
    Algorithm The algorithm used to generate the token. Use the default, HMAC-SHA256, unless you find that there are older TOTP applications in your environment that don't support it.
    Note: The ID vault server supports downgrading the HMAC algorithm by one level, for example, from HMAC-SHA256 to HMAC-SHA1. Therefore, we have kept the default algorithm as HMAC-SHA256 to support TOTP clients like Google Authenticator. Authy and Microsoft Authenticator support HMAC-SHA1 currently and they work against the server enabled for either HMAC-SHA1 or HMAC-SHA256.
  6. Make sure, you have "Check internet password in vault" (prefered) or "Check vault first then directory" configured. For more information, seeAuthenticating web users against the Notes ID passwords in the ID vault. Verifying the password against the vault skips potential mismatches of Internet/Notes passwords.
    Note: "Check vault first then directory" allows unvaulted users to authenticate.
  7. Click Save & Close.