Setting up TOTP
Overview of TOTP
When you add TOTP as a sign-in method, the authentication system (Office365) generates a key which is displayed to you as a QR code, and which you import it into an authenicator app. That key is a shared secret known only to the authentication system, and your authenticator app.
A standard cryptographic-hash method is used to generate a pseudo-random 6-digit code from the secret key combined with the time in increments of 30 seconds. Thus the code changes every 30 seconds and has an extremely long cycle.
At login time, you provide your password and will then be prompted for the verification code which you obtain from the authenticator app. Since the authentication system has access to the same secret key, it genarates the same six digit code. Thus entering the correct key proves that you have the shared secret key.
There's a grace time of about 15 seconds for entering the correct code.
Choose a TOTP app
Options on a phone or tablet are Google Authenticator, Microsoft Authenticator (it can also do TOTP) , Authy and various others. There are also TOTP apps available for Windows, Linux and Mac, and even a command-line tool for Linux or Mac, and a web-browser extension.
Add a TOTP method to your Office365 account
- go to https://mysignins.microsoft.com/security-info
- choose "Add a sign-in method" then "Microsoft Authenticator"
If you want to use Microsoft Authenticator as the TOTP app, then:
- click Next and follow the on-screen instructions.
Otherwise:
- choose "I want to use a different authenticator app"
When you click Next, a QR code will be displayed. If you are using a TOTP app on a mobile device, then that app will use the device's camera to scan the QR code. However, in some cases such as using a TOTP app on the same computer on which the QR code is displayed, it may be be necessary to chose "Can't scan image". In that case you will be shown the account-name and the secret-key in text form. TOTP apps allow you to import the private-key in text form.
Make TOTP the default method
This step is necessary if you use the OpenConnect VPN-client, typically on Linux, to establish a VPN connection to TRIUMF. Otherwise, it is optional.
There's a line in small-font near the top that begins with "Sign-in method when most advisable is unavailable".
Near the end of this line is a link called "Change".
- click Change and choose "App based authentication or hardware token - code"