How to Set a Secret Key for a OTP User

Language:

Before You Begin

You have completed How to Configure OTP.

You must become an administrator with the OTP Auth Manage All Users rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

(Optional) Determine if the defaults are sufficient for your site policy.

$ otpadm get
                mode=timer
           algorithm=hmac-sha1
              digits=6
                ...

Create a secret key for the user.
```
$ pfexec otpadm -u username -f [base32 | hex] set attributes secret
```
For example, use the default OTP attributes:
```
$ pfexec otpadm -u jdoe set secret
```
For example, require a longer OTP:
```
$ pfexec otpadm -u jdoe set digits=8 secret
```
For example, set counter mode:
```
$ pfexec otpadm -u jdoe set mode=counter secret
```
By default, the OTP secret is displayed in Base32 format. Most authenticators accept this format, but some expect hexadecimal format. To change the format for the OTP secret, see Example 13, Setting and Displaying a Hexadecimal Secret Key.
Get the secret key to the user.
- Send the secret to users out of band.
  1. Display the secret.
```
$ pfexec otpadm -u username get secret
CBA6 5JBR M73T XGZK CNAB 36HG QLE5 PFCR
```
  2. Send it over a secure channel, such as encrypted email.
- Instruct the user to log in, display the secret key, and type it into their mobile authenticator app.
```
username $ otpadm get secret
CBA6 5JBR M73T XGZK CNAB 36HG QLE5 PFCR
```