Skip to main content
Version: 8.2411.x.x RR

OATH - policy parameters

The following table lists the policy parameters specific to OATH credentials.

In addition to the policy parameters defined in this table, the policy parameter defined in the table in chapter All credential types is also valid for OATH credentials.

When setting parameters for OATH credentials, make sure that the mobile app or hardware token supports the parameters. The defaults are tested with the Google Authenticator mobile app. Parameters with the prefix "initial" will only be considered for new credentials.

NameData Type, ValuesDefaultDescription
accountnameData type: String Values: email, loginidloginidThe account name that will be shown to the user in the mobile app.
initialAlgorithmData type: String Values: SHA1, SHA256, SHA512SHA1The hashing algorithm used to calculate the tokens. Changes to this parameter will not affect existing credentials.
initialDigitsData type: int Values: 6, 7, 86The length of the generated token. Changes to this parameter will not affect existing credentials.
initialPeriodData type: int30The time window how long a totp token is valid in seconds. This only takes effect for the type TOTP. Changes to this parameter will not affect existing credentials.
initialTypeData type: String Values: hotp, totptotpThe type of the OATH credential. HOTP for the HMAC-based one-time password and TOTP for time-based one-time Password. Changes to this parameter will not affect existing credentials.
issuerData type: StringnullThe issuer indicates the provider or service the OATH credential is associated with. This can be used to differentiate between OATH credentials.
maxCredFailureCountData type: int (>0) or -13Maximum number of login failures before a credential is definitely locked. If set to "-1", the max. failure counter is disabled.
tmpLockingDurationData type: long60000Duration of the temporary locking in milliseconds. Use a tmpLockingDuration of at least 30000 since the exact duration cannot be guaranteed below this value.
tmpLockingModeData type: String Values: strict, thresholdstrictstrict: when the first temporary locking period is over, the user can try to log in only once before the next temporary locking period is activated.
threshold: the user can always try "tmpLockingThreshold" times to log in before the next temporary locking period is activated.
tmpLockingThresholdData type: int (>0) or -12Number of login failures before a credential is temporarily locked. If set to "-1", the temporary lock is disabled.
toleranceData type: int1The number of timeslots (TOTP) or counters (HOTP) that are still considered valid. For TOTP, X timeslots in the future and X timeslots in the past will be considered a valid token, where X stands for the value of "tolerance". For HOTP, the X next counter in the future will also be considered valid. We recommend a tolerance of 5 for HOTP.