Can I provision multiple devices for same CA Mobile OTP Account and generate correct OTP simultaneously?

Document ID : KB000009910
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Is it possible for a user to activate CA Mobile OTP(also known as CA AuthID OTP or Arcot OTP) on different devices, like multiple smatphones,tablets or computers simultaneously? If possible the user should be able to generate valid OTP from any devices and Authenticate.

Background:

1. CA Mobile OTP can be generated using any of the clients. For example, CA Mobile OTP Desktop clients, CA Mobile OTP app(available for Android,iOS,Windows Phone) or any customized app built on CA Mobile OTP SDK(available for Android,iOS,Winphone,Javascript and other platforms).
2. Users can generate all purpose secure software passcodes using the Mobile OTP clients, and then use the generated passcodes for authentication. Mobile OTP credentials are compliant to OATH standards and support both counter-based (HOTP) and time-based (TOTP). Mobile OTP also supports the Transaction Signing feature in the Sign mode of passcode generation. This feature conforms to the OATH Challenge-Response Algorithm (OCRA) defined by RFC 6287.
3. To generate the passcode, the user has to first add the account and set the password or the PIN for the Mobile OTP credential on any of the Mobile OTP Clients.
4. Passcode generation is an offline process, which means the client application need not connect to the authentication server for generating passcodes.
5. The lifecycle management of Mobile OTP credential is handled by CA Strong Authentication Server.

Environment:
CA Strong Authentication 8.x on any supported environment (please refer to the Platform Support Matrix)Any CA Mobile OTP Client (please refer to the Platform Support Matrix for different type of supported devices and available libraries/SDK)
Instructions:

Once the user's CA Mobile OTP account is provisioned, the client application(either out-of-box app available on app stores or built using CA Mobile OTP SDK) that you use takes the user’s PIN as an input and generates passcodes on the user’s device. It is possible to download the same CA Mobile OTP Account to multiple devices and generate the OTP from any OTP Client. However you need to consider below:
1. In case of Counter based OTP(HOTP) the client and server maintains the count separately. The OTP is generated based on this count. If the CA Mobile OTP account is downloaded in multiple devices, it is possible that for one device(say device-A) the count is increased. Correspondingly server also increases the count. In this case counter in other device(say device-B) falls behind and OTP generated by this devices-B will not work  beyond the tolerance window. If synchronization is done in device-B then the device-A goes out of sync. So, there are issues with HOTP when Mobile OTP Account is downloaded in multiple devices.
2. In case of Time based OTP(TOTP) the device time is used for generating OTP. As long as the time of different devices are within the tolerance window, all OTP from different devices will work simultaneously. CA Strong Authentication uses its database time for time input. It is recommended to synchronize the database time with a centralized time server periodically and keep the database time correct. It is also expected that the client devices maintains the time within the tolerance window. In most of the mobiles the time is updated automatically from network provider by default. So it rarely goes out of sync. Please set your time tolerance window(for both Authentication and Synchronization) as per your requirement.
3. While designing the middleware please make sure you provide a flow to download the same CA Mobile OTP Account on multiple devices. For downloading the OTP account, middleware should not create new Mobile OTP Account each and every time.

Additional Information:

Please refer to the Platform Support Matrix for the CA Strong Authentication environment and supported devices for CA Mobile OTP clients and available libraries(SDK).