Rate this page

TOTP Authenticator

Schema URN
urn:pingidentity:scim:api:messages:2.0:TOTPAuthenticationRequest

Time-based one-time password (TOTP) authentication is probably the most widely used second factor authentication method. An app installed on a user’s smartphone, such as Google Authenticator or Authy, is loaded with a secret also shared by the authentication service. Then, both the app and the authentication service — and only those two parties — can compute a rolling temporary password based on the shared secret and the current time. This provides a good layer of authentication security so long as neither the shared secret nor the authenticator app fall into the hands of a malicious third party.

Field Type Description
status string Indicates the authenticator state. Values are unavailable, ready, failure, or success.
password string A one-time password provided by the end user. This should be set by the auth UI.
error string An error code set by the Broker if the one-time password is rejected. Typically, the value will be invalidCredentials.

Authentication

To make an authentication request using the TOTP authenticator, the auth UI should set the password field with the one-time password provided by the end user:

{
  "urn:pingidentity:scim:api:messages:2.0:TOTPAuthenticationRequest": {
    "status": "ready",
    "password": "234234"
  }
}

If the one-time password is rejected by the Data Governance Broker, then the status field will be set to failure, and an error code will be provided in the error field:

{
  "urn:pingidentity:scim:api:messages:2.0:TOTPAuthenticationRequest": {
    "status": "failure",
    "password": "234234",
    "error": "invalidCredentials"
  }
}

If the one-time password is accepted, then the status field will be set to success:

{
  "urn:pingidentity:scim:api:messages:2.0:TOTPAuthenticationRequest": {
    "status": "success",
    "password": "864516"
  }
}