Digipass GO 6 Tokens with OpenOTP
1. How To use Digipass GO6 Tokens with OpenOTP
OpenOTP supports [Digipass GO6 Hardware Tokens] (https://www.onespan.com/resources/digipass-go-6/datasheet#tech-specifications).
Digipass GO6 token can work with OATH-HOTP (event-based) and OATH-TOTP (time-based), but the default algorithm is Digipass event and time-based (DES, 3DES and AES). When ordering to OneSpan, do not forget to ask them to produce the token with OATH-HOTP or OATH-TOTP algorithms.
2. Manual registration
If you know the type of your token and the secret seed, you can register an individual token directly to a user with “Manual Registration” in WebADM or Self-Desk.
For Manual Token Registration through WebADM GUI, go to
WebADM GUI >
MFA Authentication Server >
Register/Unregister OTP Tokens >
I use another Token (Manual Registration) and provide information regarding your token.
3. Registration through inventory
To register a Digipass GO6 Token with a serial number, you must import them into the WebADM inventory. For this you need a compatible inventory file. The Digipass GO6 is normally provided with a PSKC import file by OneSpan, which can be converted to WebADM compatible format. The file includes the Token secret key in an encrypted format. The decryption PSKC key is provided by OneSpan in a separated document.
First, convert the PSKC file with the conversion tool in
/opt/webadm/websrvs/openotp/bin/pskc2inv. This tool will convert the encrypted PSKC file to a CSV file containing the Token serial numbers and OATH keys. You can find more details on that command [here] (http://localhost:1313/howtos/utilities_cmd_tool_openotp/utilsopenotp/#4-pskc2inv).
Then, import the generated inventory file in WebADM under
WebADM GUI >
If the PSKC import fails, please ask OneSpan for an import file compliant with PSKC RFC-6030.
3. Configuration of OpenOTP
3.1 Per-user configuration
If only some accounts are using a Digipass GO 6 token, you can configure the user account with TOKEN TokenType. With Digipass GO 6 tokens, set the TOTP Time Step to 30 seconds (this is the Digipass GO 6 default). The Time Step is very important and Token will not work if not correctly set.
3.2 General configuration
If you use only Digipass GO 6 tokens, you can configure the TOTP Time Step at the OpenOTP application level in the Applications/OpenOTP WebADM menu.
HOTP token re-synchronisation
In case of event based tokens, it might be required to re-synchronise the token through
WebADM GUI > <USER_ACCOUNT> > MFA Authentication Server > Resynchronize Tokens.