In Digital Access Admin, go to Manage System.

Click Authentication services → Seed Provisioning through DSKPP → Check Enable Seed Provisioning.

Click OATH Configuration.

Under the heading Database Connectivity, click Manage OATH Providers. Here you see the pre-defined providers (HOTP - event based one time password and TOTP - time based one time password). You cannot edit the pre-defined providers, only the new ones that you add. The SHA256 and SHA512 are different used algorithms.

• Nexus Smart ID Mobile supports SHA256 and SHA512 with iOS and Android.

• Nexus Smart ID Mobile also supports fingerprint authentication and face recognition (on iOS).

Click Manage System > Authentication Methods > Add Authentication Method...

Select Nexus OATH and click Next.

Enter a Display Name. Check Enable authentication method and Visible in authentication menu.

Select a pre-defined provider from the OATH Provider drop-down list, for example, for Google Authenticator with HOTP select Predefined_Hotp_HmacSHA256.
The email sent to the user can be configured to mention what OATH-compliant app that shall be used, for example, Google Authenticator. For more information about how to change email messages, go here: Change provisioning messages in Digital Access.

Click Add Authentication Method Server... and make the settings.

Click Next.

Click Next until the Wizard is finished.

Click Finish.

Click Publish.

In Digital Access Admin, go to Authentication Service → Manage Global Authentication Service Settings.

Click Password/PIN settings. Under Portwise OATH, check the 'Enable secure activation' checkbox and configure the Activation Code related properties as required.

Configuration changes in Email messages and SMS/Screen messages tab and in Self Service → OATH Profile Provisioning
Change the OATH Provisioning URL Scheme to 'com.nexusgroup.dskpp'.

Select Enable OATH for the user account.

In Digital Access Admin, go to Manage Accounts and Storage.

Click User Accounts. Search for the user that you shall enable Google Authenticator for, or add a new user account, see Add user account in Digital Access.

If you are updating an existing user account, click Edit User Account and select the Authentication tab.

Select Enable OATH for the user account.

Under Notification Settings, enter email address or SMS (how you want to send the notification). If an Active Directory is connected, the information is added automatically from the user id in the Active Directory. If not, enter the values manually.

Click Next.

The Token ID field is out-grayed since this is not a hardware token.

Select Provider from the drop-down list and select Status active. Select a predefined provider where an authentication method exists.

The admin user needs to set the Activation PIN for the user or check the 'Generate PIN' checkbox to generate and assign a random 6 - digit PIN. This Activation PIN will be sent to the user through the configured notification channel.

Select Notification: By screen, by SMS, by email and so on.

Click Next and Finish Wizard.

1. The text in green is "Notification by screen".

2. The email that is sent to the user contains a QR code. The user shall download the OATH-compliant app and use the app to scan the code. In case of Smart ID desktop app, the user need to enter the activation URL instead of scanning QR code.

In Digital Access Admin, go to Manage Accounts and Storage.

Click Self Service and select the OATH Profile Provisioning tab.

Check Enable OATH Profile Self Service Provisioning.

Enable the Notification Channels: email, SMS, QR code.

You can customize the notification message. To see all options for the message, click the ?-sign. Change "OATH Authentication" in the mail message to a text that informs the user about the method to use, what app to download and other relevant information.

Click Save.

Click Publish.

In Digital Access Admin, go to Manage Accounts and Storage.

Click User Accounts. Search for the user that shall be able to use self-service, or add a new user account, see Add user account in Digital Access.

If you are updating an existing user account, click Edit User Account and select the Authentication tab.

Check Enable Nexus OATH for the user account. Also check, for example, Enable Password for the user account.
To use OATH for authentication, the user needs the authentication method Nexus OATH to be enabled. For self-provisioning, the user is required to authenticate with another method, like Password. For this reason, the corresponding method (for example, Password) must be enabled for this user as well. The user will be asked to set the Activation PIN when provisioning through Access point.

Under Notification, provide email address and sms. If an Active Directory is connected, the information is added automatically from the user id in the Active Directory. If not, enter the values manually.

In case of self service registration, the user is expected to remember the Activation PIN entered on the access-point page while doing the activation process. No notification email/ SMS will be sent for the Activation PIN to the user.

Click Next. This step assumes that password has been selected in step 4 as the second authentication method. The password that the user shall provide comes from the Active Directory. If no AD, enter a password for the user to use. Also check any password properties.

For OATH, do not add a token because the user shall do that as self service registration.

Select Notification, for example, select by screen and by email.

Click Next.

Click Finish Wizard.
The text in green is "Notification by screen". Note the line containing the user's password.