HMAC-Based OTP Tokens (HOTP)

Starting in PortalGuard version 4.1, the PortalGuard server supports generic HOTP tokens that adhere to RFC 4226. In addition to a static shared key, HOTPs use a counter that increments each time the user generates an OTP. This counter must remain in synchronization between the individual tokens and the authenticating server.

HOTPs are now an additional OTP method that can be used to authenticate a user through any of the various actions that PortalGuard supports (e.g. website login, VPN login, and proof of identity during a forgotten password reset). The following sections list how components within PortalGuard were affected by this additional OTP type.

If the counter on an HOTP token becomes out of sync with the counter value stored on the PortalGuard server, the following methods can be used to bring it back in sync:

>1)Automatically – PortalGuard supports a configurable Login look-ahead window that will pre-compute HOTPs when attempting to validate a user’s submitted value the next time they try to login with it.

>2)Help Desk – There is a new action where a Help Desk employee can manually set the counter value for an HOTP token that has already been enrolled.

>3)End-User Self-Service Resynchronization – After the user has logged into the PortalGuard Account Management page (just request the “root” of the PortalGuard website, i.e. without a path), they can be given the ability to enter two consecutive codes from their HOTP token and PortalGuard will attempt to validate them with a potentially much larger look-ahead window.

NOTE: End-user self-enrollment of HOTP tokens is not currently supported. Only the PortalGuard HelpDesk Console and the Batch Importer can be used to enroll a token for an end-user. See the corresponding sections below for more details on HOTP token enrollment.

PortalGuard Configuration Editor (PG_Config.exe)

PortalGuard’s security policies now have a new “HOTP” sub-tab under the “Auth Methods” tab. Please see the field label help for each control for a description of its effect.

Correspondingly, each action in PortalGuard now has a “HOTP Token” checkbox in the “Accepted OTP Methods” grouping. The HOTP authentication method must be enabled for these individual checkboxes to be available.

Batch Importer (PG_BatchImport.exe)

This can be used to enroll HOTP tokens for multiple users at the same time. The following fields are all required:

  • Username – The user’s login name
  • HOTPLabel – A text description of the token (only shown in the Account Management and/or Administrator Dashboard user lookup)
  • HOTPSeed – The base64-encoded secret on the token. Again, this value must be base64-encoded.
  • HOTPCounter – The current counter value on the token

Here is an example of importing a single record through the Batch Importer. The headers are setup as shown:

Here is the command to import a single entry immediately from a DOS prompt with the values corresponding to the headers shown above:

PG_BatchImport.exe -import "ssouser1,Token description,cWSfZVHWuTVnbw==,3335"

In this example, the fields were set as follows:

  • Username: ssouser1
  • HOTPLabel: Token description
  • HOTPSeed: cWSfZVHWuTVnbw==
  • HOTPCounter: 3335

User Account Management Page

If the user has HOTP token functionality enabled in their security policy, they will see a section titled “HOTP Tokens”. If they have an enrolled token, they will see the details here including the current counter value known to the PortalGuard server.

If you have enabled End-User Counter Resynchronization in the PortalGuard security policy, the user will see a “Re-sync” action URL for the token. If this feature is not enabled, that last column will not be present.

HelpDesk Console

A new “Enroll HOTP Token” option exists where a Help Desk employee can enroll a new HOTP token for a user -OR- change an attribute of a previously enrolled token.

NOTE: For existing tokens, either a seed or counter value must be provided. As in the Batch Importer, the seed value must be base64-encoded.

There is also a new option in the “Clear Specific Fields” drop-down for just removing the enrolled HOTP token(s) from a user’s PortalGuard account:

Administrator Dashboard

Administrative users with access to the PortalGuard Administrator Dashboard can lookup user details and this also includes information about any enrolled HOTP tokens: