Enabling TOTPs for Launchers

Most commonly, time-sensitive one-time passwords (TOTPs) are generated by a mobile application, such as Google Authenticator or Microsoft Authenticator. Additionally, Secret Server can be used as the TOTP generator for RPC or launchers (for web password secrets only at this time). Both the secret and the secret template require configuration for this use.

When configuring TOTP on a Secret Server template, make sure that the hashing algorithm specified in the template matches the algorithm used by the external system providing the key. The same 32-character key can produce different TOTP outputs depending on whether SHA1, SHA256, or SHA512 is used. Failure to match the hashing algorithms can result in incorrect TOTP codes and authentication failures.

Secret Template Setup

To enable TOTP on a Secret Server template:

  1. Go to Administration button > Secret Templates.

  2. Select the desired template, and click the Edit button. The Secret Template Designer appears.

  3. Navigate to the One Time Password section of the page, and click the Edit button.

  4. Click to select the One Time Password Enabled check box. This enables the option with default settings:


    These are the values that most one-time password instances, such as Google and Microsoft Authenticator, use today. If you use these settings with another OTP provider and are unable to successfully use generated codes to authenticate, please review their documentation and adjust these settings as required.

  5. Save the secret template. Any web password secret based upon this template can now use TOTP.

TOTP Secret Setup

Once a secret template is set up for TOTP, each secret based on that template also needs to be set up:

  1. Click the Secrets menu item in the dashboard.

  2. Open the desired secret.

  3. Click the Settings tab:

  4. Click the TOTP section's Edit button

  5. Click to select the Generate One-Time Passwords check box in the TOTP section. This exposes two text boxes:

  6. Type the TOTP key in the TOTP Key text box. The TOTP Key is generated by the OTP-protected asset when you set up your account to use TOTP. Usually, you are prompted with a QR barcode that you can scan with a mobile device, or you can expose the key that the QR code represents by selecting the Manual Setup link when performing the initial TOTP setup for a user. The TOTP Key is found in the Key field. This text string is the value that is placed into the TOTP Key field.

    Treat the TOTP key and backup codes like you would any other password! If anyone obtains the key, it can be used to set up a valid TOTP generator for that account on any device, allowing that person to bypass the protection. Similarly, the backup codes allow users to temporarily bypass protection.
    If you have an account that has been TOTP protected and you did not save the TOTP key upon creation, you must deactivate TOTP on that account and then reactivate it to retrieve the TOTP key to set up Secret Server.

  7. Type the TOTP backup codes in the TOTP Backup Codes text box. The TOTP Backup Codes are often presented to a user while initially setting up an account for TOTP. These backup codes are single-use codes for use if a TOTP generator is not available or working. Again, these codes will be valid and allow the holder to get past the two-factor authorization to access an account, so protect them as you would a password!