How users set up TOTP

After you enable time-based one-time password (TOTP) authentication on a Domino server, the next time web users log on to the server, they follow these steps to set up TOTP.

Before you begin

  • Users should install a TOTP application such as Google Authenticator, Authy, or Duo Mobile on their mobile devices or computers.
  • Users Notes ID files must be uploaded to the ID vault.

Procedure

  1. Log on to a Domino web server enabled for TOTP.
  2. Enter your usual web user name and password.
  3. Since you haven't yet set up an account for TOTP, the MFA Setup screen is shown. For Step 1, enter a name for your TOTP account (for example iPhone) and click OK.
    MFA Setup screen showing Step 1 of setup
    Note: The account name should consist of from 2 to 23 alphanumeric characters.
  4. Complete the following steps in the next MFA Setup screen:
    1. For Step 2, use one of the following options to configure your TOTP application:
      • If using a desktop web browser:
        • Scan the shown QR code with your application.
        • If required by your application, enter all or part of the shown TOTP URI on the application. Click Copy to copy the URI to the clipboard. Which parts of the URI you must enter depends on the application you use. For a good description of each part of the URI, see the page Key Uri Format in the google-authenticator wiki on github.com.
          MFA Setup screen showing Step 2 and Step 3 of setup
      • If using an HCL Verse Mobile client:
        • Tap the launch icon in the TOTP UI box to launch the TOTP URI to the operating system to display a list of authentication applications available on your mobile device that can be used to setup your MFA account. If no authentication applications are installed you must install at least one before proceeding.
          Verse Mobile MFA Setup showing Step 2 and Step 3 of setup

    2. For Step 3, in the MFA Token field, enter a token that your application generates and then click Validate.
  5. In the next MFA Setup screen:
    1. For Step 4, copy the scratch tokens that are shown to a secure location. These are available for you to use as tokens in the future if your device becomes unavailable to generate them. Each scratch token can be used just once. Note that your administrator may have the tokens sent to you by email, too.
    2. Select I have copied the codes to a secure location.
    3. Click DONE to return to the login screen.
      MFA Setup screen showing Step 4 of setup
  6. To compete setup, enter your name, password, and a token generated from your application. Then click Login.
    Final login screen to complete MFA setup.
    Note: Before clicking Login, optionally click Set up Multi Factor Authentication to set up another device for TOTP. You can also do this later.

Results

After a user successfully sets up TOTP, an administrator can see the TOTP URI in their vault ID document:
  1. From the Domino® Administrator, open the ID vault, located in the \IBM_ID_VAULT directory in the data directory on the server.
  2. Open the user's ID document.