How To Configure OATH Mobile
Contents
Overview
OATH authentication allows a mobile device to be prompted a new OTC every 60 seconds without requiring the connection to AuthControl Sentry. Optionally, this can be changed to every 30 seconds for compatibility with Google and Microsoft Authenticators. See below for more details.
Prerequisites
Swivel AuthControl Sentry v4 onwards
Swivel Mobile Phone Client Version v4 for One Touch Mobile client based solution.
Swivel Server Details SSD for mobile client with OATH enabled.
Swivel core configuration
In order for a user to be able to use the mobile app as a OATH token they must be allocated the right to use the OATH mode of operation. This is done by ensuring that they are a member of a group that has this right.
Mobile client users must install the Swivel Mobile Phone Client from the app store.
Configuring OATH policy settings
On the Swivel Administration console select Policy -> Mobile App and ensure the below settings are configured:
Set Mobile App OATH Mode to Yes
Other relevant options on this page are:
- Use 30 second timestep for OATH - if this is enabled, OATH codes are compatible with Google and Microsoft Authenticators. AuthControl Mobile Authenticator also supports this.
- Issuer for OATH token label - this only applies to 30-second OATH mode, and sets part of the label for authenticator display
Note that OATH mode (60 second timestep) is compatible with Push authentication provided that local mode is not also enabled.
Notes for 30 Second Mode
Note that if 30 second mode is enabled, provisioning can only be done using the QR code, in AuthControl Mobile Authenticator, Google Authenticator, Microsoft Authenticator or any other compatible authenticator app.
Please note that for 30 second mode, the URL placeholder needs to be url5, rather than url4. See the article on provisioning mobile apps for more details.
As 30-second timestep does not send any information back to Sentry, it is not compatible with Push authentication.
You can have both 30- and 60- second timestep tokens. Changing the setting only affects new tokens created after the change and does not change or invalidate tokens created before the change.
Define a group of Mobile OATH users
On the Swivel Administration console, select a group of users that will be using Mobile OATH authentication and ensure that the OATH box is ticked then click Apply.
OATH Mobile Users
Testing
For testing OATH you can click App provision button on the user admin screen for the user that has been configured as a mobile OATH user and then provision the device with the URL or QR Code as explained:
Provision the device via URL. Please read more on Provision URL page.
Provision the device via QR code. Please read more on QR Code page.
Troubleshooting
Security code is showing instead of OATH Token
Please ensure that the SSD server for that Site ID has been configured as OATH and local mode is set to false. After changing the setting in SSD server, the users must me re-provisioned.
Check the Swivel logs for error messages
Error Messages:
CANNOT_CREATE_TOKEN for the <username> user does not belong to the OATH Group
This error can be seen where the button App Provision is clicked on the User Admin Console and the user does not have OATH permission. To solve that you need to add the OATH right to the group the user is member of.
OATH token does not allow the authentication.
When you click Provision App ensure that a token for that user has been created. For that you can go to the OATH/OATH Tokens screen and check that a new token has been created for that user.
If the token has not been created, ensure that the policy Mobile App OATH Mode is set to Yes.