Two-Factor Authentication via TOTP Token

This page is used by

Prerequisite: Installation of Authenticator App on your Mobile Device

The TOTP token requires the installation of an authenticator app on your mobile device (e. g. smartphone, tablet).

There are numerous authenticator apps or OTP clients for Linux/Windows/macOS/iOS available. You can use the authenticator app of your choice. However, we have received several problem reports with both the Microsoft Authenticator and the Google Authenticator app. As the SIM-MFA web portal is also provided by privacyIDEA, we strongly recommend to use the latest version of the privacyIDEA Authenticator. Please be aware that we do not provide support for app-specific problems of other apps!

Click here to install the privacyIDEA Authenticator app

Instructions to Rollout the TOTP token

Please note!

In the following, we describe the rollout procedure using the privacyIDEA app!


  1. Open menu entry "Enroll Token" of the SIM-MFA web portal (Fig. 1).

  2. Select token type "TOTP: Time based One Time Password." ("TOTP: Zeitbasiertes Einmalpasswort.") from the drop-down menu in the SIM-MFA web portal (Fig. 1).

  3. TOTP settings

    • "Generate OTP Key on the Server": The check mark is set by default. No need to change that.
    • "Use two-step enrollment with the privacyIDEA Authenticator App": The check mark is not set by default. No need to change that.
    • "OTP length": the authenticator app will generate passwords of this length
      • default: 6
      • recommendation: 8
    • "Timestep": The time duration the generated OTP is valid.
      • default and recommendation: 30 seconds
    • "Hash algorithm":
      • default and recommendation: sha1
    • "Description": optional (may be useful to identify a token in the list of tokens, see menu entry "All Tokens")
  4. Roll out the new token via button "Enroll Token" ("Token ausrollen") (Fig. 1).

  5. The SIM-MFA portal has successfully rolled out the token, shows its serial number TOTP######## and has created the QR code containing a secret key (Fig. 2).

  6. Open the app PrivacyIDEA Authenticator on your mobile device.

  7. Tap the big blue icon ("+" icon in older versions) to add a new token. The app activates the camera.

  8. Scan the QR code of the new token. Please do not scan the QR codes from Fig. 1!

  9. The app will save the token on the mobile device. The token will be available immediately!

    Almost done!

    Now, the app continuously generates new OTPs.

  10. Select the newly generated token (via the link "TOTP...", or from the menu "All tokens").
    At the bottom of the page, type in the one-time password generated by your authenticator app, and hit "Test token"
    (Fig. 3).
  11. If the token test is not successful, hit the oranged button "Unassign Token", and restart with step 1.

    Please note:

    Do not leave unusable tokens in your account! 

Figure 1: Steps 1 - 4 of TOTP-token rollout (click on image for large view)

Figure 2: TOTP token rollout successful and according QR code (click on image for large view)

Figure 3: TOTP token after rollout (click on image for large view)

NOTE

Use QR codes only once! If the procedure fails or you lose the QR code, generate a new one. Never save the code on your local computer or the HPC system.

Manage Tokens

Two-Factor Authentication: Token Management in SIM-MFA web portal