Domino Consulting - HCL Domino Administrator 12 Help

SECURING

How users set up TOTP

After you enable time-based one-time password (TOTP) authentication on a Domino server, the next time web users log on to the server, they follow these steps to set up TOTP.

Before you begin

Users should install a TOTP application such as Google Authenticator, Authy, or Duo Mobile on their mobile devices or computers.
Users Notes ID files must be uploaded to the ID vault.

Procedure

1. Log on to a Domino web server enabled for TOTP.

2. Enter your usual web user name and password.

3. Since you haven't yet set up an account for TOTP, the MFA Setup screen is shown. For Step 1, enter a name for your TOTP account (for example iPhone) and click OK. MFA Setup screen showing Step 1 of setup

Note:

The account name should consist of from 2 to 23 alphanumeric characters.

4. Complete the following steps in the next MFA Setup screen:

For

Step 2

, use one of the following options to configure your TOTP application:

If using a desktop web browser:
- Scan the shown QR code with your application.
- If required by your application, enter all or part of the shown TOTP URI on the application. ClickCopy to copy the URI to the clipboard. Which parts of the URI you must enter depends on the application you use. For a good description of each part of the URI, see the page https://github.com/google/google-authenticator/wiki/Key-Uri-Format in the google-authenticator wiki on github.com.
If using an HCL Verse Mobile client:
- Tap the launch icon in the TOTP UI box to launch the TOTP URI to the operating system to display a list of authentication applications available on your mobile device that can be used to setup your MFA account. If no authentication applications are installed you must install at least one before proceeding.

For

Step 3

, in the

MFA Token

field, enter a token that your application generates and then click

Validate

5. In the next MFA Setup screen:

For

Step 4

, copy the scratch tokens that are shown to a secure location. These are available for you to use as tokens in the future if your device becomes unavailable to generate them. Each scratch token can be used just once. Note that your administrator may have the tokens sent to you by email, too.

b. Select I have copied the codes to a secure location.

c. Click DONE to return to the login screen. MFA Setup screen showing Step 4 of setup

6. To compete setup, enter your name, password, and a token generated from your application. Then click Login. Final login screen to complete MFA setup.

Note:

Before clicking Login, optionally click

Set up Multi Factor Authentication

to set up another device for TOTP. You can also do this later.

Results

After a user successfully sets up TOTP, an administrator can see the TOTP URI in their vault ID document:

1. From the Domino® Administrator, open the ID vault, located in the \IBM_ID_VAULT directory in the data directory on the server.

2. Open the user's ID document.

How users can manage their TOTP configuration

Web users can add and remove TOTP device configurations and reset lost scratch codes.

Parent topic: Time-based one-time password (TOTP) authentication

Help on Help

All Help Contents

Help on Help

All Help Contents