TOTP Device Enrollment
Last modified on May 16, 2023
Time-based One-time Password (TOTP) is an additional factor for authentication. With TOTP, you first log in with your username and password as normal, and then you enter your TOTP.
With TOTP, a server-side algorithm generates a one-time code that expires and is rotated very quickly. An application on your device generates a matching code. When you enter the code from your device, the two are compared, and if a match, you authenticate. This factor requires you to physically have your device, in addition to the knowledge of your username and password, to log in to the service.
TOTP is available as a multi-factor authentication (MFA) option for your StrongDM organization. This guide describes how to enroll in MFA using one-time passwords to allow you to log in to access resources via StrongDM.
- In order to set up your MFA with StrongDM you will need to already have a StrongDM account. Please see your organization’s StrongDM administrator if you do not.
- Your organization must have enabled MFA using TOTP in order for individual users to use it.
- Before starting, download your TOTP mobile application of choice (such as Authy or Google Authenticator). Some desktop applications such as password managers also include a TOTP functionality that you can use instead, if you wish.
TOTP Device Enrollment
When you are attempting to log in to StrongDM, if MFA using TOTP is enabled for your organization, you will receive an alert message that indicates that you need to enroll your device. Follow the prompt to begin.
The first screen will simply ask you to log in using your normal username and password.
The next will present a QR code. Using your TOTP application on your device, scan the QR code, or select Show code to show the code to enter at a manual prompt in your TOTP application. You might use a manual code if you are using a desktop TOTP application, or if you cannot use a QR code (or prefer not to).
Once you do this, your TOTP application will help you to save StrongDM in your application, and present you with a confirmation code.
At the next prompt, back on the StrongDM page, enter the confirmation code that your TOTP application gave you.
If it worked, you will see the success screen.
Now, when you log in to the StrongDM Desktop App you will be presented with an MFA prompt. Simply check your TOTP application for the current code that it has recently generated, and type it in!
A similar prompt will follow an attempt to log in to the Admin UI.
New device setup or existing device reset
If you get a new mobile device or have to reset your existing device, you may be unable to log in to your TOTP-protected account. If this situation occurs, please contact your organization’s StrongDM administrator to reset your TOTP.