1. Overview OpenOTP supports FIDO2 standard from the FIDO Alliance for user authentication and Passkeys provided by Google or Apple. If you intend to use OpenOTP with FIDO2 or Passkeys, please read this document which explains how to enable and use it with your integrations. 1.1 FIDO2 FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

1. Background OpenOTP Token is a mobile authentication solution available on iPhone and Android systems that provides secure access for websites, VPNs, Citrix, Cloud Apps, Windows, Linux, SAML, OpenID, Wi-Fi and much more. With OpenOTP Authentication Server, it provides the most advanced user authentication system supporting simple registration with QRCode scan, Software Token based on OATH standards and Approve/Deny login with push notifications. Minimal OS versions iOS : 10.0 and later Android : 6.

SSH Authentication with a Feitian ePass NFC/FIDO/U2F Security Key Feitian ePass NFC FIDO U2F Security Key can work as a Generic Identity Device Specification (GIDS) smart card. There are also many other manufacturers and card models to which these instructions can be applied, but the specific tools to initialize the card can be different. In this how-to, we will prepare a USB/NFC hardware key for SSH authentication and register the device in WebADM.

1. How To use Digipass GO6 Tokens with OpenOTP OpenOTP supports [Digipass GO6 Hardware Tokens] (https://www.onespan.com/resources/digipass-go-6/datasheet#tech-specifications). Supported algorithms Digipass GO6 token can work with OATH-HOTP (event-based) and OATH-TOTP (time-based), but the default algorithm is Digipass event and time-based (DES, 3DES and AES). When ordering to OneSpan, do not forget to ask them to produce the token with OATH-HOTP or OATH-TOTP algorithms. 2. Manual registration If you know the type of your token and the secret seed, you can register an individual token directly to a user with “Manual Registration” in WebADM or Self-Desk.

1. Description of Feitian c100/c200 Tokens OpenOTP supports Feitian c100 & c200 Token series. Feitian c100 are OATH-HOTP (event-based) and c200 are OATH-TOTP (time-based). The Tokens are provided with a PSKC import file by Feitian. The file includes the Token secret key in an encrypted or cleartext format. If it is encrypted, the PSKC decryption key should have been provided to you by Feitian. 2. Register a Feitian token To register a Token with a PSKC file, edit a user account in WebADM and go to the MFA Authentication Server application action.

Authentication with a Nitrokey / PIV In this How-To we will configure a user in WebADM for using a PIV key. We need a WebADM server already configured. 1. Import the Inventory We need to create an inventory file like this: "Type","Reference","Description","DN","Data","Status" "PIV Device","<ID1>","PIV Nitrokey","","PublicKey=<pub_key1>","Valid" "PIV Device","<ID2>","PIV Nitrokey","","PublicKey=<pub_key2>","Valid" "PIV Device","<ID3>","PIV Nitrokey","","PublicKey=<pub_key3>","Valid" For my test, I have a Nitrokey Start with a PIV certificate and I use gpg2 --card-edit for the management of the Nitrokey.

Authentication with a Yubikey Smart Card / PIV In this How-To we will configure a user in WebADM for using a PIV key. We need a WebADM server already configured. 1. Import the Inventory We need to create an inventory file like this: "Type","Reference","Description","DN","Data","Status" "PIV Device","<ID1>","PIV Yubikey","","PublicKey=<pub_key1>","Valid" "PIV Device","<ID2>","PIV Yubikey","","PublicKey=<pub_key2>","Valid" "PIV Device","<ID3>","PIV Yubikey","","PublicKey=<pub_key3>","Valid" For my test, I have a Yubikey Nano with a PIV certificate and I use yubico-piv-tool for the management of the Yubikey, but it can work with other PIV keys.

1. Overview This document demonstrates how to set up and use the mobile badging feature of OpenOTP. To enable that feature in your WebADM infrastructure you must meet the following requirements : Push mechanisms configured with your WebADM infrastructure, Minimal version of WebADM is 2.1.16, Minimal Version of OpenOTP is 2.1.6, Minimal version of OpenOTP Token application is 1.5.16, Mobile Badging and Remote Reporting option part of your freeware, enterprise or trial license.

1. Overview In this how-to, we will demonstrate the possible ways to enroll a hardware token or a software token on your mobile. For software token registration, you must have a token application installed on your phone like OpenOTP Token or Google Authenticator. OpenOTP Token is the recommended one to enjoy all features offered by OpenOTP server (like push login, phishing protection…). 2. Admin Enrollment through the WebADM Admin GUI A token enrollment can be done by a super_admin or other_admin user through the WebADM admin GUI.

1. Overview In this how-to, we will demonstrate the possible ways to convert token seed files from different formats into WebADM inventory format, allowing you to use third-party hardware tokens with RCDevs security solutions. We will also demonstrate how to re-use software tokens already registered on end-users devices with RCDevs solutions. 2. Seeds Files Format supported by WebADM 2.1 Un-encrypted Inventory This is the format of an unencrypted RCDevs inventory file which can be imported in WebADM without any conversion: