Time-based One-time Password (TOTP)
Last updated
Last updated
The Time-Based One-Time Password (TOTP) factor works with any authenticator app such as Google Authenticator, Authy, Aegis, etc. Once seeded, the Authenticator App generate password that are only valid for a short period of time (30 seconds by default) and only valid once.
An account can enroll multiple TOTP factors if they wish to.
The default maximum failed attempts before the factor gets temporarily disabled is 5. The factor will auto-unlock after 300 seconds (5 minutes). The counter resets to 0 on each successful login.
TOTPs are case-sensitive by default.
Below is a sample screenshot to give an idea of a potential login / registration page asking for a Time-Based One-Time Password (TOTP).
On a login page, the Time-Based One-Time Password input field is usually represented by a single-line password field or a set of single-digit input fields, which optionally also allows for copy/pasting values into it.
The signup with a Time-Based One-Time Password (TOTP) happens in two steps (two API calls), the setup and the initial verification:
To set up a Time-Based One-Time Password, a label (label parameter) can optionally be provided.
POST https://{tenant_id}.api.quasr.io/factors/signup
Authorization*
String
Session or Access Token
label
String
Label
id*
String
Factor ID
After the enrollment request is made, the factor enrollment is in a PENDING state.
The enrollment request will return feedback in the response, which is to be used for an initial validation (see below) in order to progress the enrollment from PENDING to ENABLED state.
The feedback contains a
secret: the setup key, in case the end-user cannot or does not want to scan a QR code
initialization_url: the URI in case you want to generate a QR Code by yourself
enrollment id: the id of the just created enrollment
Use this feedback information to provide the secret and/or QR code to the end-user in order for them to scan the QR code or manually setting up the TOTP in their authenticator app.
Sample Response:
To verify a Time-Based One-Time Password (TOTP) factor, the TOTP (input parameter) is provided.
After the first successful verification, the enrollment status will switch from PENDING to ENABLED.
POST https://{tenant_id}.api.quasr.io/factors/signup
Authorization*
String
Session or Access Token
input*
String
TOTP from authenticator app
id*
String
Enrollment ID
To login with a Time-Based One-Time Password (TOTP) factor, the TOTP (input parameter) is provided together with the factor enrollment id.
POST https://{tenant_id}.api.quasr.io/factors/login
Authorization*
String
Session or Access Token
id*
String
Enrollment ID
input*
String
TOTP from authenticator app
The following API sample calls create an Time-Based One-Time Password factor labelled "Another TOTP" with a score of 2.
The Time-Based One-Time Password Factor allows for the following parameters and config options:
subtype
"totp"
label
<string>
"Authenticator App"
status
"ENABLED" | "DISABLED"
"DISABLED"
score
<positive int>
1
config.public_signup
true | false
false
config.require_validation_for_enablement
true | false
true
config.issuer
<string>
"Quasr"
Below is a list of TOTP apps that we can recommend (Quasr has no affiliation with these vendors).
A Time-Based One-Time Password Factor is already available for all newly created tenants by default, however, if you want to add additional password factors, you can do so via Tenant Administration UI or .
The Quasr Access Token used in the Authorization header in the examples below must contain the scope https://api.quasr.io/scopes/admin in order to be authorized. See
(Open Source)
(Open Source)
Google Authenticator: -
