TOTP Device Enrollment

Last modified on May 16, 2023

Time-based One-time Password (TOTP) is an additional factor for authentication. With TOTP, you first log in with your username and password as normal, and then you enter your TOTP.

With TOTP, a server-side algorithm generates a one-time code that expires and is rotated very quickly. An application on your device generates a matching code. When you enter the code from your device, the two are compared, and if a match, you authenticate. This factor requires you to physically have your device, in addition to the knowledge of your username and password, to log in to the service.

TOTP is available as a multi-factor authentication (MFA) option for your StrongDM organization. This guide describes how to enroll in MFA using one-time passwords to allow you to log in to access resources via StrongDM.

Prerequisites

  • In order to set up your MFA with StrongDM you will need to already have a StrongDM account. Please see your organization’s StrongDM administrator if you do not.
  • Your organization must have enabled MFA using TOTP in order for individual users to use it.
  • Before starting, download your TOTP mobile application of choice (such as Authy or Google Authenticator). Some desktop applications such as password managers also include a TOTP functionality that you can use instead, if you wish.

TOTP Device Enrollment

Desktop Login Requesting That the User Enroll Their Device
Desktop Login Requesting That the User Enroll Their Device

When you are attempting to log in to StrongDM, if MFA using TOTP is enabled for your organization, you will receive an alert message that indicates that you need to enroll your device. Follow the prompt to begin.

The first step in TOTP device enrollment is to log in as normal
The first step in TOTP device enrollment is to log in as normal

The first screen will simply ask you to log in using your normal username and password.

Next, scan the QR code with your TOTP app
Next, scan the QR code with your TOTP app

The next will present a QR code. Using your TOTP application on your device, scan the QR code, or select Show code to show the code to enter at a manual prompt in your TOTP application. You might use a manual code if you are using a desktop TOTP application, or if you cannot use a QR code (or prefer not to).

Once you do this, your TOTP application will help you to save StrongDM in your application, and present you with a confirmation code.

Enter the confirmation code to finish device enrollment
Enter the confirmation code to finish device enrollment

At the next prompt, back on the StrongDM page, enter the confirmation code that your TOTP application gave you.

TOTP device enrollment is successful
TOTP device enrollment is successful

If it worked, you will see the success screen.

Enter TOTP Code During Desktop Login
Enter TOTP Code During Desktop Login

Now, when you log in to the StrongDM Desktop App you will be presented with an MFA prompt. Simply check your TOTP application for the current code that it has recently generated, and type it in!

Enter TOTP code during Admin UI login
Enter TOTP code during Admin UI login

A similar prompt will follow an attempt to log in to the Admin UI.

New device setup or existing device reset

If you get a new mobile device or have to reset your existing device, you may be unable to log in to your TOTP-protected account. If this situation occurs, please contact your organization’s StrongDM administrator to reset your TOTP.