Documentation

User and Admin Guides

Quick Install & Test
Quickstart Guide
Advanced Guide
winOTP Guide
mobileOTP Guide

Application Notes

Netscreen IPsec VPN

Whitepapers

Software Architecture
Passcode Guessing
 		 

mobileOTP Documentation

mobileOTP 1.0.0

User Manual

This section of the manual is intended for users.

Note that all screenshots are from a generic simulator; the appearance on your phone will be slightly different. However all significant landmarks/features will be recognizable.

Installation/Removal

mobileOTP is normally installed OTA (Over The Air), using the web browser on your phone. Your system administrator will give you download instructions. Removing mobileOTP is phone-specific and should be easy to figure out.

To run it, you use your phone's cursor or selector to highlight the mobileOTP application, and click the select button (typically this means pressing the joystick/navigator button).

Configuration

mobileOTP uses "profiles" to distinguish between multiple configurations. Up to 16 profiles are supported. This allows you to use up to 16 user accounts, roles, or other unique authentication entities. Profiles can represent unique identities at a single site/organization, or the same identity across multiple sites, or any combination. Typically you will only have a single profile configured, representing your single identity at your local company or organization.

The method to obtain a profile configuration for mobileOTP is site-specific, and will be given to you by your system administrator or IT department.

Once you have gone through the local procedure to obtain configuration information, you will receive an SMS containing configuration data. Your phone may prompt you whether or not to allow mobileOTP to automatically receive SMS message; if so, choose yes. This will then launch mobileOTP and bring up the "unlock" dialog.

If your site is using web provisioning, the web page you went to in order to obtain the configuration data will also give you the unlock code; enter it into the dialog box. Otherwise, your system administrator will provide you with the unlock code.

Generating One Time Passwords

First you must make sure you are generating the One-Time Password for the correct profile. The name of the currently selected profile is shown in the title bar of the OTP screen. Here you can see the profile named 'demo' is selected:

To generate a new One-Time Password, use the appropriate button to choose the Generate action:

For the most convenient use of mobileOTP, we suggest getting everything ready before generating the OTP: navigate to the web site, or initiate the VPN connection, or perform whatever activity requires the OTP login. Enter your soft PIN into the appropriate field on the login form. Finally, generate the OTP on your phone and enter it into the login box.

Power Users

The OTP is time-based, i.e. the value depends [in part] on the current time. The OTP time input has a granularity of one minute, which without any other input would limit you to one OTP per minute. You may have used hardware tokens where the OTP displayed changes every minute or so, and once you use an OTP to login, you must wait for the display to change before you can login again. This can be frustrating for certain applications.

To facilitate more than one login per minute TRI-D has added an event count as an additional input into the OTP algorithm. The event count is the number of times you've generated an OTP "this minute". This event count is set by your system administrator, and can range from 1 to 16. When you run out of OTPs for "this minute", attempting to generate another OTP will bring up a dialog that counts down how long you must wait before the next OTP is available:

Managing Profiles

If there are multiple profiles configured, then when you launch mobileOTP, you will be presented with the profile selection screen. If there is only one profile configured, then when mobileOTP is launched it will automatically choose that one, and go straight to the OTP screen. From the OTP screen, choose the Profiles action to go the profile selection screen:

Each profile can be managed by first selecting it, then choosing the Menu button (possibly named Options on your phone). This will bring up an "action menu" for that profile:

The most commonly used function will be to switch between different profiles (using the Select action, or by just clicking on the profile name), and even this will be relatively rare since most sites will only assign one profile per user.

The Rename action may be tempting, but we suggest you do not change the name from the one assigned by your system administrator, to avoid confusion if there is a problem.

Admin Manual

This section of the manual is intended for administrators. Users can stop reading here.

System Requirements

mobileOTP uses a time-based algorithm (well, more precisely, the algorithm is agnostic and we supply input based on the time). This has some notable advantages over the alternative, an event-based algorithm, however it adds the requirement that the clock on the phone which mobileOTP runs on be in sync with the clock that the OTP authentication server runs on.

Given that time sync is normally a requirement anyway for any organization, this shouldn't present any burden. Phones all sync to GPS time, so you need only ensure that your OTP authentication server also syncs to GPS time.

Instructions for syncing the OTP authentication server to a time source can be found in the manuals for that server's OS, and is generally an easy task. Information about selecting time sources can be found on support.ntp.org. All sources listed there are GPS-based, or are otherwise consistent with GPS time, so you do not have to worry about choosing a source with a different timebase.

Note that all TRI-D software, and all time sync protocols, use UTC time. Time zones are irrelevant to the syncing of time and it does not matter (to us) if phones have the wrong time zone configured, move between time zones, or aren't properly configured for daylight savings vs. standard time.

Adding New Profiles

This section covers adding new profiles manually. This is only required when using the Community Edition version of our server software. When using the Professional Edition or Enterprise Edition, you will use tpt (TRI-D Provisioning Tool) and optionally sps (Self Provisioning System) to automatically provision users.

To configure a new profile, first generate a random key (and user pin per your site requirements) and configure otpd with them. Then, on the user's phone, launch mobileOTP and go to the Profiles screen, bring up the action menu, and choose the New menu item. This will bring up the new profile dialog:

Make sure to enter the same choices for number of events and number of digits that you configured otpd with. If you configure these incorrectly in mobileOTP, nothing "bad" will happen, i.e., you will not compromise the security of your site, however the user will suffer from authentication errors in some cases, which will significantly reduce user acceptance of the OTP system.

mobileOTP Demo

The demo version of mobileOTP has the following limitations:

  • The About Box is always shown at startup.
  • It always starts up with a single profile named 'demo' (key of all zeroes).
  • New profiles can be manually or automatically configured, however they are not remembered across restarts.
  • The Details menu item displays the key to the user.
Copyright © 2005-2008 TRI-D Systems, Inc. All Rights Reserved.