ApplicGate
(v12.0.9036.21357 started 2024-10-09 03:18:43 on VM2)

Time-based One-Time Password (TOTP):
TOTP works with Authenticator Apps e.g. from Google and Microsoft, see schema.

To configure TOTP for logon, manage, status, web, and web destination routing entries see here.

When the shared secret is initialized, authentication must be done by a one-time password sent via SMS or email.
TOTP is configured like OTP with the additional keyword TOTP.

The string "OTP-Authenticator" is stored as "Issuer" and it can be checked via the ISS keyword.
A list of active TOTP sessions is shown here.
A description of the state values is shown via tool tip (mouse over "State" values) or can be found here
For security reasons routing entries using TOTP should have the UID field specified to be able to link session objects to a specific routing entry.

To configure TOTP for autologon/reverselogon routing entries see here.

If you need a function only for initialization of the authenticator (no forwarding to a service), especially useful for ApplicGate VPN clients with Authenticator logon:
- Configure a routing table entry with GatewayIP2=logon and with following keywords:
-- SSL:certificate
-- OTPR:OTP
-- SENDOTP:OTP\SendOTP.bat ... for notification via SMS
-- TOTPM ... for notification via email
-- OTPF:OTP/totp.htm

For TOTP the file OTPlist.csv is extended with two additional fields:
- SecretDate ... date/time when the shared secret has been initialized.
- Secret ... shared secret: 16 character Base32 string, if encrypted this string starts with "=".

Keyword TOTPC:certfile[/parameter] ... optional, path to certificate file or thumbprint of certificate used to encrypt/decrypt the shared secret
Note: This keyword may be specified only for manage routing entries.
- It is not supported for .NET Frameworks lower than 4.6.
Further hints and options concerning certificate loading can be found here.

If there is a need to decrypt the shared secrets (e.g. when the encryption certificate should be changed):
- Open a command window and change to the directory where ApplicGate.exe and OTPlist.csv is stored.
- Issue following command: ApplicGate.exe /OTPdecrypt=certfile[/CU][/LM]
- certfile must be the same as specified with the keyword TOTPC
- Then all shared secrets will be decrypted and copied to the file OTPlist_decrypted.csv
- This file can be renamed to OTPlist.csv and loaded.
- As soon as a new secrete is generated and OTPlist.csv is written by ApplicGate all secrets will be encrypted using the certificate specified in TOTPC.

ApplicGate Logo  reinhold.leitner@applicgate.com (C) September 2024
www.applicgate.com