One-Time Password Authentication

CA Strong Authentication Web Services Guide › Authenticating Users › One-Time Password Authentication

One-Time Password Authentication

One-Time Password (OTP) is a numeric or an alpha-numeric string that is generated by AuthMinder Server. AuthMinder supports OTPs that can be reused pre-configured number of times. You can specify this setting by using Administration Console. The OTP lifetime depends on the duration for which it is valid and number of times it can be used.

The following topics for performing OTP authentication are covered in this section:

Preparing the Request Message
Invoking the Web Service
Interpreting the Response Message

Preparing the Request Message

The VerifyOTPRequestMessage is used to verify the OTP provided by the users. The following table lists the elements of this message.

Element	Mandatory	Description
clientTxnId	No	Specifies the unique transaction identifier that the calling application can include. This identifier helps in tracking the related transactions.
userName	Yes	The unique identifier of the user.
orgName	No	The organization name to which the user belongs to.
otp	Yes	The OTP provided by the user.
tokenType	No	The type of authentication token that is expected from AuthMinder Server after successful authentication. See "Verifying the Authentication Tokens" for more information.
additionalInput/pairs	No	AuthMinder’s additionalInput element enables you to set additional inputs if you want to augment AuthMinder’s authentication capability by specifying additional information. In such cases, you need to set the extra information in name-value pairs. name (The name with which you want to create the key pair.) value (The corresponding value for name.) Note: You can add more than one of these elements. Some of the pre-defined additional input parameters include: AR_WF_LOCALE_ID Specifies the locale that AuthMinder will use while returning the messages back to your calling application. AR_WF_CALLER_ID This is useful in tracking transactions. You can use session ID or client transaction ID (clientTxnId) for specifying this information.

Invoking the Web Service

To perform OTP authentication:

Implement the logic to collect the OTP from the user.
(Optional) Include the authentication and authorization details in the SOAP header or in the additionalInput element of the VerifyOTP operation. See chapter, "Managing Web Services Security" for more information on these details.
(Optional) If you are implementing a plug-in, then invoke the additionalInput element type to fill the additional input.
Use VerifyOTPRequestMessage and construct the input message.
Invoke the VerifyOTP operation of the ArcotWebFortAuthSvc service to verify the OTP of the user. Optionally, you can also specify the token type that must be returned to the user after successful authentication by using the tokenType element.
This operation returns VerifyOTPResponseMessage, which provides the transaction details, credential details, and token information.

Interpreting the Response Message

For successful transactions, the response message, VerifyOTPResponseMessage returns the elements explained in Verify Signed Challenge Response Message in Step 2: ArcotID PKI Authentication. These elements are included in the SOAP body. If there are any errors, then the Fault response is included in the SOAP body. See appendix, "Error Codes" for more information on the SOAP error messages.