Before You Begin
You have completed How to Configure OTP.
You must become an administrator with the following rights profiles to complete the steps in this task:
User Management rights profile – For assigning PAM policy to users
OTP Auth Manage All Users rights profile – For managing OTP
The root role has all of these rights. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
You and the user have finished the following tasks:
$ pfexec usermod -K pam_policy=otp username
The users should be prompted first for their regular login password, then for the OTP.
$ pfexec usermod -K pam_policy= username
$ pfexec otpadm -u username expunge
The authenticator app in use at a company can handle a very strong algorithm and a long password. To implement a stronger security policy, the administrator notifies OTP users to change to a SHA2 algorithm and an 8-digit password. Then, the administrator audits their change. The email and user responsibilities are shown in Example 12, Users Changing to a Longer OTP and a Stronger Algorithm.
After allowing time for the users to change their OTP attributes, the administrator audits every OTP user.
$ pfexec otpadm -u username get algorithm digits digits=8 algorithm=hmac-sha256
If a user's configuration is different from the preceding output, the administrator sends a warning email that specifies the date that the user will be locked out.
On the specified date, the administrator locks out OTP users who have not changed to the new OTP configuration.
$ pfexec usermod -e date username
In this example, the user is using a mobile authenticator that supports counter mode. The administrator sets the OTP mode to counter when the mobile authenticator does not synchronize with the login server. To prevent using any existing codes, the administrator sets a new secret.
$ otpadm -u username set mode=counter secret $ otpadm -u username get secret VOCJ YHTV 2C4O DTDN R34X CGM4 YZVM JJFI
The administrator sends the secret to the user out of band. Before typing in the secret, the user sets the mobile authenticator app to use counter mode.
If the authenticator does not confirm the user's OTP, users should wait and try the second OTP that displays.
If the login server does not accept the OTP, make sure that the clocks on the mobile device and the server are synchronized.