TOTP
How to choose your integration strategy?
Learn to activate your Multi-Factor Authentication (MFA). We provide a TOTP strategy for an Organization on your Login Gateway with your customized User Interface : from the activation of the TOTP to the final login try. Or embed directly in your app with Headless Integration strategy here
Watch the video guide
- Quickstart
- 15 min
Introduction
A TOTP is a Time-based One-Time Password, which allows
However, it is important to ensure a number of security measures, for example, that the code is only usable for a short period of time.
What we will build together
- Configure a TOTP The fallback content to display on prerendering
- Add TOTP to your The fallback content to display on prerendering
Prerequisites
- A Cryptr account
- An IdP account from a Cryptr-supported identity provider to help you configure an IdP instance for your development
Step 1: Integrate to your Application
If you have already integrated Cryptr in an
Start integrate to your favourite techno
Login
Your login
Single Page App
Backend Integration
Step 2: Configure your first TOTP Connection
The Cryptr API
- Organization: An Organization represents a business customer or partner in your Cryptr service.
- TOTP Connection: You can create or update TOTP The fallback content to display on prerenderingpreferences for an Organization (usualy your Enterprise customer). Everything to setup for the TOTP.
Environment variables
It is important that your Cryptr
CRYPTR_API_KEY
environment variable at the start of your CRYPTR_CLIENT_ID
must also be defined.CRYPTR_API_KEY=79cef058-530c-4c19-a12d-ff57ff5e592b
CRYPTR_CLIENT_ID=b7bde828-4df1-4f62-9a3a-d1541a2fc9e4
If you don't have
Login to your Cryptr space to create an
Create your Users directory
The Organization owner
An Organization is the
Create a new Organization with a name:
- cURL
- Kotlin
curl -X POST ${cryptr_service_url}/api/v2/organizations \
-H "Authorization: Bearer your-access-token-from-client-id-and-secret" \
-d name="Communitiz App" \
-d email_domains[]="communitiz-app"
val organizationResponse = cryptr.createOrganization(
name = "My company name",
allowedEmailDomains = setOf("my-company.com")
)
Now we get the domain
of our new Organization, here communitiz-app
is the domain identifier
. Now, each time a new user will be created from our TOTP, or we add a new configuration, it will be stored in a clean separated
We can fetch the users from this Organization:
- cURL
- Kotlin
curl "${cryptr_service_url}/api/v2/org/${org_domain}/users" \
-d page=${page}
-d per_page=${per_page}
val listing = cryptr.listUsers(
orgDomain = orgDomain,
// Optional, size of the page
// perPage = perPage,
// Optional your current page
// currentPage = currentPage
)
Of course, at this time our list is empty. To see more about Organization and User, please have a look at our Organization API Reference and User API Reference. We can store the
Setting up a TOTP connection
Let's configure an TOTP
When an Organization is created, Cryptr automatically prepares two environments for you: a sandbox and your default environment (for your production).
TOTP
With a created Organization, and an
In fact, the TOTP connection is already created by default, but is not activated. Let's see how to activate it.
Create a new TOTP
- cURL
- Kotlin
curl -X PUT ${cryptr_service_url}/api/v2/org/${org_domain}/totp-connection \
-d active=true
val resp = cryptr.createTotpConnection(
orgDomain = 'communitiz-app'
)
Manage the Totp
Here are the other possible actions for managing totp
Update the Totp Connection
This request will help you to update the Totp params.
- cURL
- Kotlin
curl -X PUT ${cryptr_service_url}/api/v2/org/${org_domain}/totp-connection \
-d active=true
val resp = cryptr.updateTotpConnection(
orgDomain = 'communitiz-app',
active = true
)
Deactivate the Totp Connection
- cURL
- Kotlin
curl -X PUT ${cryptr_service_url}/api/v2/org/${org_domain}/totp-connection \
-d active=false
val resp = cryptr.deleteTotpConnection(
orgDomain = 'communitiz-app'
)
Retrieve the Totp Connection
- cURL
- Kotlin
curl "${cryptr_service_url}/api/v2/org/${org_domain}/totp-connection"
val resp = cryptr.getTotpConnection(
orgDomain = 'communitiz-app'
)
You are now able to view the params of your Totp
Users enrollment
First login (TOTP Mobile APP Method)
To be able to use TOTP, your users will have to be enrolled.
To do this, when your TOTP
Once scanned on their TOTP mobile application (FreeOTP, Google Authenticator...) they can click on a button to access the next page. On this page, they'll be asked to enter their first TOTP (the one given to them by their application). Once this has been done and the process validated, your users will be enrolled.
If the TOTP is valid, users will then see a page where five recovery codes are displayed. These codes can be downloaded by the user as a text file and used if the user loses access to their TOTP application.
Users will then be prompted to confirm the download of their recovery codes. Once validated, a session is opened.
These recovery codes must be stored as carefully as a password (they must not be divulged or stored on the same device as the TOTP application ...).
Moreover, they are single-use, so a user can only use recovery codes 5 times. Once this number has been exceeded, you'll need to force the enrollment of your user. Finally, codes can only be used once in a 24-hour period.
Subsequent login
In the case of an already enrolled user, the next time they log on, they'll only be asked to enter a TOTP code.
API endpoint used in this guide
You can read more about