Enabling OTP Client Authentication

Organizations can enhance security by implementing OATH OTP-based authentication alongside standard password-based login for local Delinea Platform accounts.

This topic outlines the steps to enable users to enroll and log in to the Delinea Platform using an OTP client as a Multi-Factor Authentication (MFA) mechanism.

The same approach can be extended to users from external directories, such as Active Directory (AD), though some additional configuration may be required. The platform’s identity policies and authentication profiles provide extensive flexibility, enabling organizations to design authentication workflows that meet their specific security and operational needs—going beyond the basic setup described in this topic.

Create a Group for OTP Users

  1. Navigate to Access > Groups.

  2. Click Add Group and provide a name (e.g., OTP-group).

Define an Identity Policy for OTP Authentication

An identity policy enforces authentication rules for users. Configure an OTP-based identity policy and assign it to the group.

  1. Navigate to Access > Identity policies.

  2. Click Add Policy and provide a name (e.g., OTP-policy).

  3. Assign the identity policy to the group (e.g., OTP-group).

  4. At a minimum, configure the policy with the following settings:

    1. Navigate to the Authentication tab.

      1. In the Services section, click Edit.

      2. Select Enable authentication policy controls.

      3. Set (or create) a Default authentication profile with the following authentication mechanisms:

        • Challenge 1: Password

        • Challenge 2: OATH OTP client

      4. Click Save.

    2. Under Other Settings, click Edit.

      1. Enable Allow users without a valid authentication factor to log in and Save. Enable this option only if you want users to still access the Platform before fully onboarding their OTP client (post initial user acceptance of the invite – see later steps).

    3. Under User Security > OATH OTP tab, click Edit.

      1. Enable OATH OTP integration to allow users to authenticate using an OTP client, and Save.

    4. Under User Security > Authentication settings, click Edit.

      1. Enable Enable users to configure an OATH OTP client (requires enabling OATH OTP policy).

      2. Enable Require users to configure at sign-in. This forces users to enroll their OTP client during onboarding before gaining full access to the Platform.

      3. Specify an OATH OTP Display Name (e.g., Google Authenticator).

      4. Save.

Create and Onboard an OTP User

Once the identity policy is set up, create a test user and verify the onboarding flow.

  1. Create a local user (e.g., OTP-user@domain).

  2. Assign the user to the OTP user group (e.g., OTP-group).

  3. The user will receive an invitation email to join the Delinea Platform.

  4. After accepting the invitation, the user will be required to set a password during their first log-in.

  5. The user will then be prompted to enroll their OTP client (e.g., Google Authenticator).

  6. The user will scan the QR code generated by the platform and follow the steps provided to complete the enrollment.

 

Platform Login Flow

Next time the user tries to login to platform they will follow these steps:

  1. Enter their username and password.

  2. When prompted, enter the OTP code generated by their OTP client (e.g., Google Authenticator).

  3. If authentication is successful, access to the Delinea Platform is granted.

Summary

By implementing OATH OTP-based authentication, users benefit from an additional layer of security while ensuring seamless access management. This approach helps organizations enforce MFA best practices, reducing the risk of unauthorized access to the Platform.