Digipass GO 6 Tokens with OpenOTP
  Download PDF

1. How To use Digipass GO6 Tokens with OpenOTP

OpenOTP supports [Digipass GO6 Hardware Tokens] (https://www.onespan.com/resources/digipass-go-6/datasheet#tech-specifications).

Supported algorithms

Digipass GO6 token can work with OATH-HOTP (event-based) and OATH-TOTP (time-based), but the default algorithm is Digipass event and time-based (DES, 3DES and AES). When ordering to OneSpan, do not forget to ask them to produce the token with OATH-HOTP or OATH-TOTP algorithms.

2. Manual registration

If you know the type of your token and the secret seed, you can register an individual token directly to a user with “Manual Registration” in WebADM or Self-Desk. For Manual Token Registration through WebADM GUI, go to WebADM GUI > <USER_ACCOUNT> > MFA Authentication Server > Register/Unregister OTP Tokens > I use another Token (Manual Registration) and provide information regarding your token.

3. Registration through inventory

To register a Digipass GO6 Token with a serial number, you must import them into the WebADM inventory. For this you need a compatible inventory file. The Digipass GO6 is normally provided with a PSKC import file by OneSpan, which can be converted to WebADM compatible format. The file includes the Token secret key in an encrypted format. The decryption PSKC key is provided by OneSpan in a separated document.

First, convert the PSKC file with the conversion tool in /opt/webadm/websrvs/openotp/bin/pskc2inv. This tool will convert the encrypted PSKC file to a CSV file containing the Token serial numbers and OATH keys. You can find more details on that command [here] (http://localhost:1313/howtos/utilities_cmd_tool_openotp/utilsopenotp/#4-pskc2inv).

Then, import the generated inventory file in WebADM under WebADM GUI > Import menu:

Import failure

If the PSKC import fails, please ask OneSpan for an import file compliant with PSKC RFC-6030.

3. Configuration of OpenOTP

3.1 Per-user configuration

If only some accounts are using a Digipass GO 6 token, you can configure the user account with TOKEN TokenType. With Digipass GO 6 tokens, set the TOTP Time Step to 30 seconds (this is the Digipass GO 6 default). The Time Step is very important and Token will not work if not correctly set.

3.2 General configuration

If you use only Digipass GO 6 tokens, you can configure the TOTP Time Step at the OpenOTP application level in the Applications/OpenOTP WebADM menu.

HOTP token re-synchronisation

In case of event based tokens, it might be required to re-synchronise the token through WebADM GUI > <USER_ACCOUNT> > MFA Authentication Server > Resynchronize Tokens.