SECURING


2. Enabling TOTP authentication in the Configuration Settings document

Enable TOTP on Domino® servers through a Configuration Settings document.

Procedure

1. From the Domino Administrator, click theConfiguration tab and then expand the Messagingsection.

2. Choose Configurations.

3. Click Add Configuration to create a new Configuration Settings document. Or, select an existing one and click Edit Configuration.

4. Click the Security tab.

5. Complete the following fields in the Multi Factor Authenticationsection.
OptionDescription
FieldDescription
Time-based one-time passwords (TOTP) for web authenticationSelect Enable.
Allow emergency scratch codesSelect Yes (default) to allow users to provide one of ten scratch codes rather than a TOTP token. This option is useful for allowing users to log in if their TOTP application is unavailable, for example, if they lose a device that runs it.

Users are shown the scratch codes right after they set up TOTP successfully. After a scratch code is used, it can't be used again.

Email scratch codes to a userIf you allow emergency scratch codes, selectYes to send an encrypted email containing the scratch codes to a user when they initially set up TOTP or if their configuration is reset and they set it up again. Users also copy the scratch codes right during setup.
Maximum number of secretsThe number of TOTP URIs (accounts) that each user can set up to access a Domino server: 1, 2, or 3 (default). More than one TOTP URI might be useful if the TOTP application runs on multiple devices.
AlgorithmThe algorithm used to generate the token. Use the default,HMAC-SHA256, unless you find that there are older TOTP applications in your environment that don't support it.

Note: The ID vault server supports downgrading the HMAC algorithm by one level, for example, from HMAC-SHA256 to HMAC-SHA1. Therefore, we have kept the default algorithm as HMAC-SHA256 to support TOTP clients like Google Authenticator. Authy and Microsoft Authenticator support HMAC-SHA1 currently and they work against the server enabled for either HMAC-SHA1 or HMAC-SHA256.


6. Make sure, you have "Check internet password in vault" (prefered) or "Check vault first then directory" configured. For more information, seeAuthenticating web users against the Notes ID passwords in the ID vault. Verifying the password against the vault skips potential mismatches of Internet/Notes passwords.
7. Click Save & Close.

Parent topic: Configuring TOTP authentication
Previous topic: 1. Issuing a Multi-Factor Authentication Certificate
Next topic: 3. Enabling TOTP authentication on servers

Related concepts
Authenticating web users against the Notes ID passwords in the ID vault