OATH - policy parameters
The following table lists the policy parameters specific to OATH credentials.
In addition to the policy parameters defined in this table, the policy parameter defined in the table in chapter All credential types is also valid for OATH credentials.
When setting parameters for OATH credentials, make sure that the mobile app or hardware token supports the parameters. The defaults are tested with the Google Authenticator mobile app. Parameters with the prefix "initial" will only be considered for new credentials.
| Name | Data Type, Values | Default | Description |
|---|---|---|---|
| accountname | Data type: String Values: email, loginid | loginid | The account name that will be shown to the user in the mobile app. |
| initialAlgorithm | Data type: String Values: SHA1, SHA256, SHA512 | SHA1 | The hashing algorithm used to calculate the tokens. Changes to this parameter will not affect existing credentials. |
| initialDigits | Data type: int Values: 6, 7, 8 | 6 | The length of the generated token. Changes to this parameter will not affect existing credentials. |
| initialPeriod | Data type: int | 30 | The time window how long a totp token is valid in seconds. This only takes effect for the type TOTP. Changes to this parameter will not affect existing credentials. |
| initialType | Data type: String Values: hotp, totp | totp | The type of the OATH credential. HOTP for the HMAC-based one-time password and TOTP for time-based one-time Password. Changes to this parameter will not affect existing credentials. |
| issuer | Data type: String | null | The issuer indicates the provider or service the OATH credential is associated with. This can be used to differentiate between OATH credentials. |
| maxCredFailureCount | Data type: int (>0) or -1 | 3 | Maximum number of login failures before a credential is definitely locked. If set to "-1", the max. failure counter is disabled. |
| tmpLockingDuration | Data type: long | 60000 | Duration of the temporary locking in milliseconds. Use a tmpLockingDuration of at least 30000 since the exact duration cannot be guaranteed below this value. |
| tmpLockingMode | Data type: String Values: strict, threshold | strict | strict: when the first temporary locking period is over, the user can try to log in only once before the next temporary locking period is activated. threshold: the user can always try "tmpLockingThreshold" times to log in before the next temporary locking period is activated. |
| tmpLockingThreshold | Data type: int (>0) or -1 | 2 | Number of login failures before a credential is temporarily locked. If set to "-1", the temporary lock is disabled. |
| tolerance | Data type: int | 1 | The number of timeslots (TOTP) or counters (HOTP) that are still considered valid. For TOTP, X timeslots in the future and X timeslots in the past will be considered a valid token, where X stands for the value of "tolerance". For HOTP, the X next counter in the future will also be considered valid. We recommend a tolerance of 5 for HOTP. |