Skip to main content
Version: 7.2505.x.x LTS

OATH - policy parameters

This page lists the policy parameters specific to OATH credentials.

In addition to the policy parameters defined here, the parameters defined in the table in the chapter All credential types are also valid for OATH credentials.

When setting parameters for OATH credentials, make sure that the mobile app or hardware token supports the parameters. The defaults are tested with the Google Authenticator mobile app. Parameters with the prefix initial will only be considered for new credentials.

accountname

  • Data type: String
  • Values: email, loginid
  • Default: loginid
  • Description: The account name that will be shown to the user in the mobile app.

initialAlgorithm

  • Data type: String
  • Values: SHA1, SHA256, SHA512
  • Default: SHA1
  • Description: The hashing algorithm used to calculate the tokens. Changes to this parameter will not affect existing credentials.

initialDigits

  • Data type: int
  • Values: 6, 7, 8
  • Default: 6
  • Description: The length of the generated token. Changes to this parameter will not affect existing credentials.

initialPeriod

  • Data type: int
  • Default: 30
  • Description: The time window in seconds for which a TOTP token is valid. This only takes effect for the type TOTP. Changes to this parameter will not affect existing credentials.

initialType

  • Data type: String
  • Values: hotp, totp
  • Default: totp
  • Description: The type of the OATH credential. HOTP for the HMAC-based one-time password and TOTP for the time-based one-time password. Changes to this parameter will not affect existing credentials.

issuer

  • Data type: String
  • Default: null
  • Description: The issuer indicates the provider or service the OATH credential is associated with. This can be used to differentiate between OATH credentials.

maxCredFailureCount

  • Data type: int (>0) or -1
  • Default: 3
  • Description: Maximum number of login failures before the OATH credential is definitely locked. If set to -1, the max. failure counter is disabled.

tmpLockingDuration

  • Data type: long
  • Default: 30000
  • Description: Duration of the temporary locking in milliseconds. Use a tmpLockingDuration of at least 30000 since the exact duration cannot be guaranteed below this value.

tmpLockingMode

  • Data type: String
  • Values: strict, threshold
  • Default: strict
  • Description:
    • strict: when the first temporary locking period is over, the user can try to log in only once before the next temporary locking period activates.
    • threshold: the user can always try tmpLockingThreshold times to log in before the next temporary locking period activates.

tmpLockingThreshold

  • Data type: int (>0) or -1
  • Default: 2
  • Description: Number of login failures before the OATH credential is temporarily locked. If set to -1, the temporary lock is disabled.

tolerance

  • Data type: int
  • Default: 1
  • Description: The number of timeslots (TOTP) or counters (HOTP) that are still considered valid. For TOTP, X timeslots in the future and X timeslots in the past will be considered a valid token, where X stands for the value of tolerance. For HOTP, the X next counters in the future will also be considered valid. We recommend a tolerance of 5 for HOTP.