Use One Time Password (OTP) in External Apps
This topic describes registering and viewing Offline Token in an External application using Kron PAM.
Currently, users can view Offline Token in the Kron PAM mobile application. However, some customers request to view Offline Token in their own apps.
Standard 1: Kron PAM server and mobile application use TOTP (Time-Based One-Time Password Algorithm) to create and view one-time tokens. The IETF RFC number is RFC 6238. See the RFC document for development on the mobile side.
Standard 2: Kron PAM creates the QR codes according to the ISO/IEC 18004:2015 standards.
As such, you can either write the QR Code and TOTP algorithms according to these standards or use any third-party libraries supporting these standards.
Kron PAM uses the following TOTP parameters:
- Algorithm: SHA1
- Digits: 6
- Counter: -not used-
- Period: 30 seconds
- Secret: obtained from the QR code
When decoding the QR code, a key string is acquired. It is a 36-character key. You discard the first four characters and use the last 32 digits.
There are two main functions under this subject:
a. Registering the QR code The customers need to design a QR code scanning feature on their own mobile apps. This feature should be compatible with Standard 2, which is explained above. When the QR code is scanned by the mobile app, the output string should be seen below: 'otpauth://totp/Single%20Connect%20Radius%20Account%3Aadmin%40kron.com.tr?secret=47HY4SRA V74Z72H07BQY53GDNJCLQDWSJUJV&issuer=Single%20Connect%20Radius%20Account&algorithmzSHA1'
Then the mobile app should use and record this secret key into the mobile device.
b. Generating an offline token using the pre-registered QR code
The customers need to design an offline token generation feature on their own mobile apps. This feature should be compatible with Standard 1, which is explained above. This feature should use the recorded secret key while generating the offline token with PAM OTP parameters.
- Kron PAM Admin sends QR Codes to the Users via email from the Kron PAM menu.
- Users scan the QR Codes on the Customer Mobile App QR Code Registration screen. Mobile Device records the QR Codes.
- Customer Mobile User generates offline token on Customer Mobile Application.
- Customer Mobile User uses the offline token in the required business flows on Kron PAM.
In some cases, the Mobile Application User has to register the QR codes again. When the user uses a new mobile device or loses the recorded secret key on the mobile device (during the mobile app updates), the user must re-register the QR codes. If the Mobile User has the previous email that includes the QR Code, the Mobile User can use this code. Otherwise, Kron PAM Admin may send a new email to the Mobile User.