Time-based one-time password (TOTP) authentication

When users log on to a Domino Web server, you can require that they provide time-based one-time passwords in addition to their user names and passwords.

Time-based one-time password (TOTP) authentication provides an extra layer of security when users authenticate to a Domino Web server. When TOTP is enabled, users are required to provide a time-based one-time password (token) in addition to their names and passwords. Session time-out that is configured on the Domino server controls how often users are prompted to log in and provide both credentials.

Users must have a TOTP application installed locally on a device or computer. TOTP applications that comply with RFC 6238 are supported, including Google Authenticator, Authy, and Duo Mobile.

When TOTP is in use, a user's TOTP application and the user's Domino ID vault server generate unique, six-digit tokens for the user that expire every 30 seconds. The user authenticates successfully when they provide a token generated by the TOTP application that matches the server-generated one.

Tokens are derived from a unique TOTP URI string that the ID vault server creates for a user when they set up TOTP authentication. The URI contains a unique secret key and other information such as the hash algorithm, token length, and expiration interval. The URI is stored in a user's ID vault document, so to use TOTP authentication, users must be registered in an ID vault.

Web users set up TOTP authentication on their TOTP applications the first time they log on to a Domino Web server after TOTP is enabled on it. When they set up TOTP, their ID vault server generates a TOTP URI. The URI is displayed in the login screen as a QR Code and as a text string. On mobile devices, users can scan the QR Code to configure the URI on their local TOTP application.