Speakers: Martin Leyrer & Milan Matejic Engage.UG 2022 HCL Domino - TOTP / MFA

1. #engage
#engageug
Ad12
Domino TOTP/2FA - Best Practices and Pitfalls
Martin Leyrer
Milan Matejic
Engage 2022

2. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 2
Martin Leyrer
Martin Leyrer is a Senior Lab Services Consultant in HCL's Digital
Solutions Lab Services organizations since autumn 2019.
Before joining HCL, worked for eight years in IBM's Software
Group Services Organization, gaining in-depth knowledge on the
whole HCL Collaboration software stack.
Looking beyond the core HCL software stack, other areas of
expertise for Martin are Linux command line tools, IT
Security/Hacking, making stuff blink and combining all of these
areas.

3. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 3
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Milan Matejic
About us

4. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 4
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation

5. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 5
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation
Wording

6. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 6
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation
Wording
How Does it Work?

7. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 7
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation
Wording
How Does it Work?
Prerequisites

8. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 8
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation
Wording
How Does it Work?
Prerequisites
Setup

9. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 9
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation
Wording
How Does it Work?
Prerequisites
Setup
Traveler

10. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 10
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation User Workflow
Wording
How Does it Work?
Prerequisites
Setup
Traveler

11. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 11
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation User Workflow
Wording Administration
How Does it Work?
Prerequisites
Setup
Traveler

12. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 12
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites
Setup
Traveler

13. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 13
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup
Traveler

14. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 14
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Table of Contents
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup References
Traveler

15. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 15
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Motivation

16. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 16
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Motivation

17. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 17
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Roadmap
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup References
Traveler

18. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 18
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
MFA – Multi-factor authentication
Wording

19. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 19
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
2FA – Two-factor authentication
Wording

20. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 20
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
TOTP – Time-based one-time password
Wording

21. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 21
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
TOTP algorithm
Wording

22. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 22
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Authentication server / verifier
Wording

23. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Authy Google Authenticator Microsoft Authenticator
23
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
TOTP Authenticator / Prover
Wording

24. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 24
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Scratch codes
Wording

25. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 25
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Roadmap
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup References
Traveler

26. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 26
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
RFC 6238
Prover
Verifier
Shared Secret
Moving Factor
Timestep
How Does it Work?
4. Web server forwards TOTP
config to TOTP application
3. ID-Vault sends user s
TOTP config to web server
1. User configures TOTP
application
2. Web server sends the
information to ID-Vault

27. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 27
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
How Does it Work? – Prover Setup
4. Web server forwards TOTP
config to TOTP application
3. ID-Vault sends user s
TOTP config to web server
1. User configures TOTP
application
2. Web server sends the
information to ID-Vault

28. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 28
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
How Does it Work? - Authentication
4. Web server grants
access
3. ID-Vault authenticates
the user
1. User enters
credentials and TOTP
2. Web server sends the
TOTP to ID-Vault

29. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 29
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Roadmap
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup References
Traveler

30. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 30
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Time Sync
Prerequisites

31. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 31
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
DNS
Prerequisites

32. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 32
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Public TLS Certificate
Domino Certificate Manager
Prerequisites

33. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 33
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
ID-Vault
Prerequisites

34. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 34
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Certifier ID File
Inside of Domino Data
Prerequisites

35. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 35
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
HCL Domino 12.0
Incl. v12.0 Templates
Prerequisites

36. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 36
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Roadmap
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup References
Traveler

37. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 37
37
MFA Trust Certificate
Enable TOTP Login Form
TOTP Configuration
Restart
Setup

38. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 38
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Create MFA Trust Certificate
mfamgmt create trustcert <Notes_DN_to_allow>
<certifier_ID_file> <certifier_password>

39. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 39
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Create MFA Trust Certificate Command

40. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 40
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Check if MFA Trust Certificate is Created

41. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 41
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Check MFA Trust Certificate and ID-Vault Trust

42. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 42
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Enable TOTP - Configuration Document

43. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 43
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Enable TOTP - Web Site Document

44. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 44
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Enable TOTP - Web Site Document

45. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 45
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Enable TOTP - Web Site Document

46. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 46
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Enable TOTP - Web Site Document

47. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 47
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
LTPA Token Expiration

48. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 48
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Configure TOTP Login Form

49. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 49
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Configure TOTP Login Form (cont.)
domcfg.nsf database

50. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 50
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Configure TOTP Login Form (cont.)

51. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 51
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Configure TOTP Login Form - $$LoginUserFormMFA

52. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 52
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Secure Mail Operations for TOTP
Allow access to ID-Files with TOTP
Optional

53. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 53
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Secure Mail Operations for TOTP (cont.)

54. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 54
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Additional Security for ID-Vault
Restrict server access to ID-Vault
Optional

55. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 55
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Additional Security for ID-Vault – Policy

56. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 56
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Additional Security for ID-Vault – ID-Vault Conf.

57. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 57
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Restart
Domino Server
HTTP Task

58. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 58
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Demo – User Enables MFA

59. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 59
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Roadmap
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup References
Traveler

60. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 60
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Traveler & TOTP
Fully Supported
Additional settings needed

61. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 61
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Traveler & TOTP – Verse App
Apple iOS
Google Android

62. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 62
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Traveler & TOTP – Third Party Apps
Not Supported

63. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 63
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Traveler & TOTP – Disabling TOTP
Reinstall / Reconfigure

64. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 64
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Traveler & TOTP – Self-Signed Certificates
Possible!

65. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 65
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Traveler & TOTP – MFA Setup
Must be done elsewhere!

66. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 66
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Traveler TOTP Configuration
Identical as for Domino

67. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 67
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Traveler TOTP Configuration – Security Policy

68. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 68
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Traveler TOTP Configuration – Token Expiration
Token Expiration

69. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 69
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Demo New Traveler User

70. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 70
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Demo Existing Traveler User

71. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 71
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Roadmap
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup References
Traveler

72. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 72
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
User Workflow
Add additional TOTP devices

73. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 73
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Add Additional TOTP Devices

74. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 74
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
User Workflow
Delete TOTP devices

75. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 75
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Delete TOTP Devices

76. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 76
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
User Workflow
Request new scratch codes

77. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 77
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Request New Scratch Codes

78. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 78
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Roadmap
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup References
Traveler

79. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 79
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Administration
Check user’s configuration
TOTP Checker

80. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 80
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Administration – TOTP Checker

81. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 81
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Administration – TOTP Checker Linux - “Interim” Fix
SPR # SPPPCDFF4W
Contact Support

82. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 82
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Administration – Check User’s ID-Vault Document
Check user’s ID-Vault document

83. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 83
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Administration – Check User’s ID-Vault Document

84. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 84
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Administration – Reset TOTP Config
Reset user’s TOTP configuration

85. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 85
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Administration – Reset TOTP Config

86. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 86
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
TOTP_STEPSIZE=seconds
TOTP_TIMESKEW_STEPS=TOTP_STEPSIZE factor
ENABLE_IDV_CROSSDOMAIN_AUTHENTICATION=1
Administration - Important notes.ini Settings

87. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 87
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Roadmap
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup References
Traveler

88. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 88
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Troubleshooting
Check configuration

89. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 89
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Troubleshooting
Run “TOTP Configuration Check”

90. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 90
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Troubleshooting

91. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 91
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Troubleshooting

92. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 92
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Troubleshooting
Collect Fiddler trace

93. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 93
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Troubleshooting
Set debug in notes.ini

94. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 94
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
DEBUG_IDV_CONNECT=1
DEBUG_IDV_API=1
DEBUG_IDVAULT_SERVER_SELECTION=1
iNotes_WA_DebugSecMailNotesID=1
DEBUG_INETPWD_CHECK=1
WEBAUTH_VERBOSE_TRACE=1
Troubleshooting - Debug Parameters

95. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 95
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
DEBUG_TOTP=2
DEBUG_IDV_TOTP_TRANS=1
Troubleshooting - Debug Parameters (cont.)

96. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 96
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Roadmap
Motivation User Workflow
Wording Administration
How Does it Work? Troubleshooting
Prerequisites Q & A
Setup References
Traveler

97. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 97
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Q & A
Does TOTP work offline!?
YES!

98. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 98
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Q & A
TOTP code same on every device!?
No!

99. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Evolve, disrupt. Together…
Further questions?

100. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 100
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
TOTP algorithm definition
https://datatracker.ietf.org/doc/html/rfc6238
OTP, TOTP and HOTP
https://www.onelogin.com/learn/otp-totp-hotp
Domino TOTP
https://help.hcltechsw.com/domino/12.0.0/admin/conf_totp_overview.html
References

101. Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com 101
Copyright © 2022 HCL Technologies Limited | www.hcltechsw.com
Traveler TOTP
https://help.hcltechsw.com/traveler/12.0.0/mobile_support_totp.html
Statista
https://www.statista.com/statistics/1305250/reasons-for-not-using-mfa-us-uk/
References