2. Enabling TOTP authentication in the Configuration Settings document - Need a Domino Consultant? Call NotesMail +1 212-599-2048- HCLSoftware Business Partner

SECURING

2. Enabling TOTP authentication in the Configuration Settings document
Enable TOTP on Domino® servers through a Configuration Settings document.

Procedure

1. From the Domino Administrator, click theConfiguration tab and then expand the Messagingsection.

2. Choose Configurations.

3. Click Add Configuration to create a new Configuration Settings document. Or, select an existing one and click Edit Configuration.

4. Click the Security tab.

5. Complete the following fields in the Multi Factor Authenticationsection.

Option Description

Field Description

Time-based one-time passwords (TOTP) for web authentication Select Enable.

Allow emergency scratch codes Select Yes (default) to allow users to provide one of ten scratch codes rather than a TOTP token. This option is useful for allowing users to log in if their TOTP application is unavailable, for example, if they lose a device that runs it.
Users are shown the scratch codes right after they set up TOTP successfully. After a scratch code is used, it can't be used again.

Email scratch codes to a user If you allow emergency scratch codes, selectYes to send an encrypted email containing the scratch codes to a user when they initially set up TOTP or if their configuration is reset and they set it up again. Users also copy the scratch codes right during setup.

Maximum number of secrets The number of TOTP URIs (accounts) that each user can set up to access a Domino server: 1, 2, or 3 (default). More than one TOTP URI might be useful if the TOTP application runs on multiple devices.

Algorithm The algorithm used to generate the token. Use the default,HMAC-SHA256, unless you find that there are older TOTP applications in your environment that don't support it.
Note: The ID vault server supports downgrading the HMAC algorithm by one level, for example, from HMAC-SHA256 to HMAC-SHA1. Therefore, we have kept the default algorithm as HMAC-SHA256 to support TOTP clients like Google Authenticator. Authy and Microsoft Authenticator support HMAC-SHA1 currently and they work against the server enabled for either HMAC-SHA1 or HMAC-SHA256.

6. Make sure, you have "Check internet password in vault" (prefered) or "Check vault first then directory" configured. For more information, seeAuthenticating web users against the Notes ID passwords in the ID vault. Verifying the password against the vault skips potential mismatches of Internet/Notes passwords.

Note:

"Check vault first then directory" allows unvaulted users to authenticate.

7. Click Save & Close.

Parent topic: Configuring TOTP authentication
Previous topic: 1. Issuing a Multi-Factor Authentication Certificate
Next topic: 3. Enabling TOTP authentication on servers

Help on Help

All Help Contents

Help on Help

All Help Contents

Option	Description
Field	Description
Time-based one-time passwords (TOTP) for web authentication	Select Enable.
Allow emergency scratch codes	Select Yes (default) to allow users to provide one of ten scratch codes rather than a TOTP token. This option is useful for allowing users to log in if their TOTP application is unavailable, for example, if they lose a device that runs it. Users are shown the scratch codes right after they set up TOTP successfully. After a scratch code is used, it can't be used again.
Email scratch codes to a user	If you allow emergency scratch codes, selectYes to send an encrypted email containing the scratch codes to a user when they initially set up TOTP or if their configuration is reset and they set it up again. Users also copy the scratch codes right during setup.
Maximum number of secrets	The number of TOTP URIs (accounts) that each user can set up to access a Domino server: 1, 2, or 3 (default). More than one TOTP URI might be useful if the TOTP application runs on multiple devices.
Algorithm	The algorithm used to generate the token. Use the default,HMAC-SHA256, unless you find that there are older TOTP applications in your environment that don't support it. Note: The ID vault server supports downgrading the HMAC algorithm by one level, for example, from HMAC-SHA256 to HMAC-SHA1. Therefore, we have kept the default algorithm as HMAC-SHA256 to support TOTP clients like Google Authenticator. Authy and Microsoft Authenticator support HMAC-SHA1 currently and they work against the server enabled for either HMAC-SHA1 or HMAC-SHA256.