Onboarding for End Users – with Token2 (HOTP)
Token2 HOTP is a token, powered by Token2, which can be configured to use HMAC-based One-time Passwords (HOTP) for multi-factor authentication.
HOTP is an alternative to Time-based One-time Passwords (TOTP). Note that the most used TOTP solutions are authentication applications (for example Google Authenticator) or programmable tokens (for example, Token2 miniOTP-3).
UserLock configures Token2 HOTP in an efficient manner uniquely on the server side thus avoiding any client based configuration.
To authenticate with Token2 HOTP, users simply tap their security key. This touch activated Token2 HOTP automatically enters a pre-determined authentication code; thus avoiding the possibility of the end user entering an invalid code.
Users require a Token2 with HOTP support such as Token2 T2F2-ALU. This device must be inserted into a USB port of their computer during the connection.
To enroll in MFA with Token2 HOTP, users will have to connect directly (and not via RDP) to a computer for the Desktop UserLock agent to detect the Token2. Subsequent connections will allow RDP connections with the Token2 plugged into the USB port of the client computer.
To enable two-factor authentication with UserLock and Token2 HOTP
Once MFA is activated for a user account (configure the MFA frequency you need), this user may require assistance logging in for the first time with UserLock and Token2:
- The user plugs the Token2 HOTP into the USB port of their computer (do not connect via RDP for this first connection as explained in the "Requirements" section).
- The user logs in to their Windows session.
The UserLock desktop agent asks the user the method to configure multi-factor authentication:
If the user chooses "USB Token", Token2 is automatically detected and a dialog box appears:
Next, the Desktop UserLock agent programs the Token2 HOTP using the MFA secret (without displaying it), then updates the Link Token2 button to confirm that the operation succeeded:
The cursor appears in the edit box of the authentication code and the user can touch the Token2.
As a result, the edit box will display the associated 6-digit code and automatically close the dialog box indicating that the verification operation succeeded.
Subsequent connections for two-factor authentication with UserLock and Token2 HOTP
Following the initial connection in which the Token2 configuration is included, subsequent connections where MFA is requested will occur as follows:
- The user plugs the Token2 HOTP into a USB port of their computer (the client computer if they are using RDP).
- The user logs in to their Windows Session
The UserLock desktop agent requests the authentication code:
The user touches the Token2 button.
The edit box will display the associated 6-digit code and automatically close the dialog box indicating that the verification operation succeeded.
Token2 HOTP and RDP
As explained in the “Requirements” section, remember that to enroll with MFA and Token2, users will have to connect directly (and not via RDP) to a computer (the subsequent connections will allow RDP connections with the Token2 HOTP plugged into the USB port of the client computer).
Use case: What to do if Token2 is lost, forgotten, etc
You can use an alternative method as Authenticator App or Recovery codes, if they have been configured.
Also, the optional Ask for help UserLock MFA feature (disabled by default) is designed to alert UserLock administrators in such cases: actions include resetting the MFA key, temporarily disabling MFA, assistance activating the Yubikey...
Use case: What to do if I used TOTP before and now I use HOTP Token2?
For such users, reset the MFA key, then configure Token2 as explained in the section To enable two-factor authentication with UserLock and Token2 HOTP.
TOTP and / or HOTPThe choice between TOTP and HOTP depends on several arguments. For example, HOTP is a preferred choice if the UserLock server is installed on a virtual machine on which the clock is not synchronized as often as TOTP MFA requires. (If your VM is installed as part of a Hyper-V platform there is also a risk of time synchronization issues).
Configuration of Token2 HOTP is not possible with an RDP session
Unable to configure Token2 HOTP with an RDP session, a physical connection to a computer is required.
Use with virtual machines may be limited
It is possible to mount Token2 HOTP in Virtual Box Virtual Machines: using Token2 on such machines is possible for both configuration and authentication. However, there are issues when trying to configure them with Hyper-V virtual machines, although authentication is possible.
For a comparative list of compatible tokens by Token2, click here.
Risk of HOTP desynchronization if there is a high number of logins without network connection
If there is a high number of logons without network connection, the token's HOTP counter may be out of sync with the UserLock server side. If so, the MFA code will not be accepted. By default, an offset of 6 codes between the 2 counters is authorized, you can modify this number via the advanced parameter "MaxHotpCodeCount".