1. What is TOTP?
TOTP is an acronym for Time-based One-Time Passwords. TOTP is a type of Authenticator app. Authenticator apps are used as a second layer of security beyond entering a password, which helps provide an additional level of protection against unauthorized access to online accounts.
If you already have TOTP installed on your mobile device, you are welcome to skip ahead to How to Set Up TOTP within Transaction Manager.
2. How Authenticator Apps like TOTP Work
When setting up an authenticator app, you link your online account(s) to the app by scanning a QR code or manually entering a unique key provided by the service you wish to secure. Once the account is linked, the app generates a unique, time-sensitive code that you need to enter alongside your account’s username and password during the login process. The code changes every few seconds, adding an extra layer of security that makes it significantly more difficult for hackers to gain unauthorized access to an account.
3. Examples of Popular Authenticator Apps
Google Authenticator
Developed by Google, this app is widely recognized and used for Two-Factor Authentication (2FA) across various platforms and services. It supports algorithms for both TOTP and HOTP (HMAC-based One-Time Password; HMAC stands for Hash-Based Message Authentication Code and in cryptography, it stands for a message authentication code using a cryptographic hash function and secret cryptographic key).
Download Links
Microsoft Authenticator
Microsoft’s authenticator app is designed to provide an additional layer of security for Microsoft accounts. Features include fingerprint or face recognition for quick and secure access.
Download Links
Twilio Authy Authenticator
Authy is a popular authenticator app that goes beyond TOTP. It provides encrypted cloud backup and multi-device synchronization, allowing users to access their codes across multiple devices. Authy also offers an intuitive interface and supports features like PIN (Personal Identification Number) protection and biometric authentication.
Download Links:
4. How to Set Up the TOTP App on Your Mobile Device
Most authenticator apps follow a similar process. In this example, we will be following the process with Google Authenticator being set up on an iPhone, as Google Authenticator is one of the most frequently used apps for TOTP.
You will need two devices in order to easily complete this process:
- Your mobile phone with camera capabilities
- A laptop, PC, Mac, or tablet with your email and browser open
Perform the following steps:
1. Go to the App Store and click the Search Feature (1).
2. Enter Google Authenticator in the Search field (2)
3. When Google Authenticator comes up as one of the app options, click the download icon (3) to download the application to your mobile device.
4. Once the app has finished downloading, there will be an option to Open the app. Select OPEN.
5. You will then be brought to an introductory screen welcoming you to get verification codes for all your accounts using two-step verification. Click Get Started at the bottom of the screen.
6. You will then be directed to a Sign in screen. Click Sign in and then go ahead and sign in.
Once you select Sign in, the following message will pop up:
“Authenticator” Wants to Use
“google.com” to Sign In
This allows the app and website to
share information about you.
Cancel | Continue
7. Select Continue.
This will bring you to a Sign in page where you can sign in with your Google Account.
8. Enter your email or phone and select Next, then enter your password and select Next.
9. You will then come to a screen asking you to Add a code. Simultaneously you will receive a security alert email to the email address associated with your Google sign in advising that a new sign in occurred from a phone. Since that was you setting up Google Authenticator, you don’t need to do anything further with that email.
10. On your phone, select Add a code.
11. You will then be brought to a screen asking you to Scan a QR code or Enter a setup key. We recommend selecting Scan a QR code.
You will then receive a message as follows:
“Authenticator” Would like to
Access the Camera
Authenticator uses your camera to
Scan barcodes.
Don’t Allow | OK
12. Select OK
Now you are ready to enable TOTP within Transaction Manager.
5. How to Pair your TOTP App to Your Transaction Manager Account
Note: your user experience in this section will mirror that of your merchants.
Perform the following steps:
1. Log in to Transaction Manager.
2. This will bring you to a page advising we need to confirm your identity through the sharing of a Security Code to your email account. Select Next.
3. You will then be brought to a screen showing your email address on file. Click Get Security Code.
4. You will then see the following Enter Your Security Code screen.
Simultaneously, you will receive an email with a Security Code that you should copy to your clipboard.
5. Paste the copied Security Code into the corresponding field on the screen and then click Submit.
You will then see a Security Profile screen as follows, advising you to install an authenticator app, in the event that’s not already been done, and then asking the user to scan a unique QR code using the app.
Please note the links within the screen above next to steps 1 and two which explain what an authenticator app is and how to scan a QR code, in the event that any of these steps involves information that is unfamiliar.
6. You can then open your authenticator app on your mobile device. In the example below we will continue the process using the Google Authenticator app. In Google Authenticator, click the + sign at the bottom right. This will take the user to a screen with the option to Scan a QR code. Tap that option.
7. Now the app will enable your camera so that you can scan the QR code. Once scanned, you will receive a code to then enter into Transaction Manager. Note the timer feature on the right indicating the code is time-based and expires quickly and is replaced by new codes every several seconds. Enter the active, unexpired Security Code into Transaction Manager and click Submit.
8. Once completed, you will receive confirmation that your profile has been successfully updated. Click Return to Home Screen to continue business as usual.
9. Each subsequent time you log in you will then come to the following screen.
10. Open your authenticator app, enter the code provided before it expires, and select VERIFY CODE.
From there you will proceed to the Home screen.
6. What to Do if the TOTP Permission Is Not Yet Activated within Transaction Manager
Note: Your user experience in this section will mirror that of your merchants.
If, when you log in, you go straight to the Home page and do not go through the security screen process described in section 5, that simply means that your Channel Partner has not yet enabled Two Factor Authentication on your user profile. You can actually set this up yourself.
To enable TOTP, perform the following steps:
1. At the top menu bar, click USER MANAGEMENT.
2. Under the header in the middle of the screen.
Find your profile and click the Select Actions dropdown.
3. Doing so will result in a pull-down menu being displayed. From here, select User Profile.
4. With this selected, then select SUBMIT.
5. This will bring you to your User Profile with the Two Factor Authentication options at the bottom of the screen. Select Enable TOTP Authentication and then UPDATE.
Upon successful updating, you will see confirmation on the main USER MANAGEMENT screen.
6. If you then LOGOUT,
the next time you log in, you will be brought to the Confirm Your Identity screen referenced at the beginning of Section 5. Follow the steps in Section 5 to complete the pairing of your authenticator app to your Transaction Manager login.
7. The Transaction Manager Login Experience After Complete TOTP Set Up
Note: Your user experience in this section will mirror that of your merchants.
The next time you log in, you will immediately see the following:
Open your Authenticator app, find the security code associated with Transaction Manager, enter it, select VERIFY CODE, and then you will be brought to the Home screen to conduct business as usual.
8. How to Set Up TOTP for Your Entire Channel in Transaction Manager
Perform the following steps:
1. Log in to Transaction Manager.
When you configure Multi-Factor Authentication (MFA) for your channel, this will result in all users being set up to require MFA including both your channel users and your channel’s merchant users.
3. From the main menu, select TOOLS and then Two Factor Authentication Configuration.
4. Check the Require Two-Factor Authentication box.
Once you select Require Two-Factor Authentication, options will appear for OTP, DUO, and TOTP.
5. Select TOTP.
The refreshed screen will provide useful information for users that are not as familiar with TOTP.
6. Select UPDATE.
You will then see a message stating that the Configuration was updated successfully at the top of the screen.
From this point forward, all users under this channel, including channel merchants will need to authenticate their identity by using a Time-based One Time Password in order to access Transaction Manager. As such, it is strongly recommended that you ensure all channel users are advised to download an Authenticator app prior to implementing it.
9. How to Set up TOTP for Individual Users within your Channel in Transaction Manager
Perform the following steps:
1. After logging in to Transaction Manager, to configure Multi-Factor Authentication (MFA) for an individual user, on the main menu click USER MANAGEMENT, highlight the user that you would like to update, click Select Actions, and from that submenu click User Profile, then click Submit.
This will bring you to the User Profile Page where the MFA options are available at the bottom of the page.
2. To complete the setup of TOTP for this user, select Enable TOTP Authentication, then click UPDATE.
Once updated you will receive confirmation that user’s profile has been successfully updated.
3. The next time the updated user logs into Transaction Manager by logging in with their username and password and clicking LOGIN,
that user be brought to a screen where they are advised that security enhancements designed to confirm the user’s identity and where the user processes transactions have been implemented. The user needs access to their email account, where they will receive a Security Code. Select Next.
4. The user will then be brought to a screen showing them the email address on file. Click on Get Security Code.
Upon clicking, the user’s screen will update as follows.
5. Simultaneously, the user will receive an email with a security code that the user should copy to their clipboard
and then paste it into the screen, and then click Submit.
6. The user will then see a screen as follows, advising to install an authenticator app, if that’s not already been done, and then asking the user to scan a unique QR code using the app.
Please note that links explaining what an authenticator app is and how to scan a QR code are provided to the right of those two steps, in the event that any of these steps involve information that is unfamiliar to the user.
7. The user will then open the Authenticator app they have installed on their mobile device. Google Authenticator is used in the example below. Once the user opens Google Authenticator, they will click the + sign at the bottom right. This will take the user to a screen with the option to Scan a QR code. Tap that option.
8. Upon doing so the app will enable the user’s camera to scan the QR code. This will result in the user receiving a code to be entered into Transaction Manager. Note the timer feature on the right indicating the code is time-based and expires quickly. As such, if a code expires, repeat the step to scan the QR code and enter it into Transaction Manager, and submit as needed.
9. Once successfully completed, the user will receive confirmation that the user’s profile has been successfully updated. Click Return to Home Screen to continue business as usual.
10. The next time the user logs in, the user will see the following screen.
11. The user must then open their Authenticator app and enter the code provided and select VERIFY CODE as in the example below, and then they will be brought to the Home screen where they can then conduct business as usual.
10. How a Merchant with an Authenticator App Can Set Themselves Up with TOTP in Transaction Manager
Perform the following steps:
1. Log in to Transaction Manager.
2. At the top menu bar, click USER MANAGEMENT.
3. Under the header in the middle of the screen,
Find your profile and click Select Actions.
4. Doing so will result in a pull-down menu being displayed. From here select User Profile.
5. With this selected, then select SUBMIT.
6. This will bring you to your User Profile with the Two Factor Authentication options at the bottom of the screen. Select Enable TOTP Authentication and then UPDATE.
Upon successful updating, you will see confirmation on the main USER MANAGEMENT screen.
7. If you then LOGOUT,
the next time you log in, you will immediately see the following:
8. Enter the code provided by the Authenticator app you selected and then you will be able to navigate through the site to manage your business as normal.
11. Reverifying Your Authenticator App
Once you are fully set up, on the Two Factor Authentication screen, you will see a link beneath VERIFY CODE called Can’t access 2FA device? Reverify Authenticator App.
Selecting this link will bring you back to the Confirm Your Identity screen in section 5 so that you can pair your authenticator app with your Transaction Manager Account. This is especially helpful if you decide to change authenticator apps and need to pair a new app with your Transaction Manager
12. Best Practices for Rolling Out TOTP for Your Channel
When you roll out TOTP for any of your users within your organization or your merchant base, it is most important that users receive advance notice and are provided the information found in the first 5 sections of this document so that they can get an understanding of what TOTP is and how it works and download a TOTP app, so that when TOTP is required on their login that they are not caught off-guard and confused. These first 5 sections, as well as other supplemental material, are available to your clients in the Merchants section of our documents portal.