Documentation

User and Admin Guides

Quick Install & Test
Quickstart Guide
Advanced Guide
winOTP Guide
mobileOTP Guide

Application Notes

Netscreen IPsec VPN

Whitepapers

Software Architecture
Passcode Guessing
 		 

winOTP Documentation

winOTP 1.0.0

User Manual

This section of the manual is intended for users.

Installation/Removal

winOTP uses the standard install and removal procedure as typical Windows software. To install, double-click the setup.exe file (provided to you by your system administrator). To remove it, launch the Add or Remove Programs Control Panel.

When installed correctly, it will automatically be launched whenever you login to your desktop. If for some reason it is not launched, or if you quit the application and wish to restart it, you can execute it directly. The default install location is C:\Program Files\TRI-D Systems\winOTP\winOTP.exe.

If winOTP is not launching automatically when you login, create a shortcut to the application and place it in C:\Documents and Settings\%USER%\Start Menu\Programs\Startup (where %USER% is your username).

In most cases, your system administrator will have already installed winOTP for you.

When running, the I-D icon will be present in the system tray.

Configuration

winOTP uses "profiles" to distinguish between multiple configurations. Up to 16 profiles are supported. This allows you to use up to 16 user accounts, roles, or other unique authentication entities. Profiles can represent unique identities at a single site/organization, or the same identity across multiple sites, or any combination. Typically you will only have a single profile configured, representing your single identity at your local company or organization.

The method to obtain a profile configuration for winOTP is site-specific. If winOTP is pre-installed on your desktop, it may also have been pre-configured by your system administrator or IT department. If not, contact them for further instructions.

Once you have gone through the local procedure to obtain configuration information, you will receive an email containing a configuration file. Your email reader will generally allow you to open that file with winOTP directly. If not, save it to disk and double-click to launch winOTP. winOTP will then automatically import the configuration settings and present you with the "unlock" dialog.

If your site is using web provisioning, the web page you went to in order to obtain the configuration file will also give you the unlock code; cut and paste it into the dialog box. Otherwise, your system administrator will provide you with the unlock code.

Generating One Time Passwords

First you must make sure you are generating the One-Time Password for the correct profile. You can mouseover the I-D icon to bring up the tooltip (balloon text) which indicates the currently selected profile:

You can also right-click on the I-D icon and navigate to the Profiles menu; the currently selected profile will have a checkmark next to it:

To generate a new One-Time Password, simply right-click on the I-D icon and the OTP will be shown as the bottom-most menu item:

Simply click on it to copy it to the clipboard. You can then paste it (CTRL-V) into a login box or wherever OTP use is required. Note that you must ALSO enter your "soft PIN" into the OTP login box if your site requires it (most do).

For the most convenient use of winOTP, we suggest getting everything ready before generating the OTP: navigate to the web site, or initiate the VPN connection, or perform whatever activity requires the OTP login. Enter your soft PIN into the appropriate field on the login form. Finally, click on the OTP and copy it into the login box. This assumes your site is using prepended PINs. Your site may be configured to use appended PINs (ask your system administrator); in that case you would of course either enter the soft PIN after pasting the OTP into the login box, or if you enter the PIN first you will have to position the cursor appropriately in the login box so that the OTP goes first.

Power Users

The OTP is time-based, i.e. the value depends [in part] on the current time. The OTP time input has a granularity of one minute, which without any other input would limit you to one OTP per minute. You may have used hardware tokens where the OTP displayed changes every minute or so, and once you use an OTP to login, you must wait for the display to change before you can login again. This can be frustrating for certain applications.

To facilitate more than one login per minute TRI-D has added an event count as an additional input into the OTP algorithm. The event count is the number of times you've generated an OTP "this minute". This event count is set by your system administrator, and can range from 1 to 16. When you run out of OTPs for "this minute", pulling up the OTP menu will indicate how long you must wait before the next OTP is available:

Managing Profiles

Each profile can be managed by bringing up the OTP menu, then selecting Profiles, then selecting the profile in question. This will bring up an "action menu" for that profile:

The most commonly used function will be to switch between different profiles (using the Select action), and even this will be relatively rare since most sites will only assign one profile per user.

The Rename action may be tempting, but we suggest you do not change the name from the one assigned by your system administrator, to avoid confusion if there is a problem.

Admin Manual

This section of the manual is intended for administrators. Users can stop reading here.

System Requirements

winOTP uses a time-based algorithm (well, more precisely, the algorithm is agnostic and we supply input based on the time). This has some notable advantages over the alternative, an event-based algorithm, however it adds the requirement that the clock on the machine which winOTP runs on be in sync with the clock that the OTP authentication server runs on.

Given that time sync is normally a requirement anyway for any organization, this shouldn't present any burden. Windows domain clients automatically sync time to the domain controller, however there is no automatic guarantee that the domain controller is in sync with any other computer, including the OTP authentication server. In order to guarantee this, the domain controller and the OTP authentication server must sync to the same authoritative time source.

Instructions for syncing the OTP authentication server to a time source can be found in the manuals for that server's OS. Instructions for syncing the Windows domain controller to a time source can be found at Microsoft's support site (Windows XP, Windows Server 2003, Windows 2000).

Make sure that you sync the domain controllers and the OTP authentication server (and all servers in your network) to the same time sources. Information about selecting time sources can be found on support.ntp.org.

Windows clients that are part of a workgroup, or standalone machines, do not automatically sync time. Contact us if you need assistance configuring these type of clients.

Note that all TRI-D software, and all time sync protocols, use UTC time. Time zones are irrelevant to the syncing of time and it does not matter (to us) if any machines have the wrong time zone configured, or aren't properly configured for daylight savings vs. standard time.

Adding New Profiles

This section covers adding new profiles manually, using the winOTP Profiles->New menu. This is only required when using the Community Edition version of our server software. When using the Professional Edition or Enterprise Edition, you will use tpt (TRI-D Provisioning Tool) and optionally sps (Self Provisioning System) to automatically provision users.

To configure a new profile, first generate a random key (and user pin per your site requirements) and configure otpd with them. Then, on the user's machine, choose the Profiles->New menu item in winOTP to bring up the new profile dialog:

Make sure to enter the same choices for number of events and number of digits that you configured otpd with. If you configure these incorrectly in winOTP, nothing "bad" will happen, i.e., you will not compromise the security of your site, however the user will suffer from authentication errors in some cases, which will significantly reduce user acceptance of the OTP system.

winOTP Demo

The demo version of winOTP has the following limitations:

  • The About Box is always shown at startup.
  • It always starts up with a single profile named 'demo' (key of all zeroes).
  • New profiles can be manually or automatically configured, however they are not remembered across restarts.
  • The OTP is not copied to the clipboard when selected.
  • The Details menu item displays the key to the user.
Copyright © 2005-2008 TRI-D Systems, Inc. All Rights Reserved.