Digipass GO 6 Tokens with OpenOTP
Token

Download PDF

1. How To use Digipass GO6 Tokens with OpenOTP

OpenOTP supports [Digipass GO6 Hardware Tokens] (https://www.onespan.com/resources/digipass-go-6/datasheet#tech-specifications).

Supported algorithms

Digipass GO6 token can work with OATH-HOTP (event-based) and OATH-TOTP (time-based), but the default algorithm is Digipass event and time-based (DES, 3DES and AES). When ordering to OneSpan, do not forget to ask them to produce the token with OATH-HOTP or OATH-TOTP algorithms.

2. Manual registration

If you know the type of your token and the secret seed, you can register an individual token directly to a user with “Manual Registration” in WebADM or Self-Desk. For Manual Token Registration through WebADM GUI, go to WebADM GUI > <USER_ACCOUNT> > MFA Authentication Server > Register/Unregister OTP Tokens > I use another Token (Manual Registration) and provide information regarding your token.

3. Registration through inventory

To register a Digipass GO6 Token with a serial number, you must import them into the WebADM inventory. For this you need a compatible inventory file. The Digipass GO6 is normally provided with a PSKC import file by OneSpan, which can be converted to WebADM compatible format. The file includes the Token secret key in an encrypted format. The decryption PSKC key is provided by OneSpan in a separated document.

First, convert the PSKC file with the conversion tool in /opt/webadm/websrvs/openotp/bin/pskc2inv. This tool will convert the encrypted PSKC file to a CSV file containing the Token serial numbers and OATH keys. You can find more details on that command [here] (http://localhost:1313/howtos/utilities_cmd_tool_openotp/utilsopenotp/#4-pskc2inv).

Then, import the generated inventory file in WebADM under WebADM GUI > Import menu:

Import failure

If the PSKC import fails, please ask OneSpan for an import file compliant with PSKC RFC-6030.

3. Configuration of OpenOTP

3.1 Per-user configuration

If only some accounts are using a Digipass GO 6 token, you can configure the user account with TOKEN TokenType. With Digipass GO 6 tokens, set the TOTP Time Step to 30 seconds (this is the Digipass GO 6 default). The Time Step is very important and Token will not work if not correctly set.

3.2 General configuration

If you use only Digipass GO 6 tokens, you can configure the TOTP Time Step at the OpenOTP application level in the Applications/OpenOTP WebADM menu.

HOTP token re-synchronisation

In case of event based tokens, it might be required to re-synchronise the token through WebADM GUI > <USER_ACCOUNT> > MFA Authentication Server > Resynchronize Tokens.

This manual was prepared with great care. However, RCDevs Security S.A. and the author cannot assume any legal or other liability for possible errors and their consequences. No responsibility is taken for the details contained in this manual. Subject to alternation without notice. RCDevs Security S.A. does not enter into any responsibility in this respect. The hardware and software described in this manual is provided on the basis of a license agreement. This manual is protected by copyright law. RCDevs Security S.A. reserves all rights, especially for translation into foreign languages. No part of this manual may be reproduced in any way (photocopies, microfilm or other methods) or transformed into machine-readable language without the prior written permission of RCDevs Security S.A. The latter especially applies for data processing systems. RCDevs Security S.A. also reserves all communication rights (lectures, radio and television). The hardware and software names mentioned in this manual are most often the registered trademarks of the respective manufacturers and as such are subject to the statutory regulations. Product and brand names are the property of RCDevs Security. © 2024 RCDevs Security S.A., All Rights Reserved