In Digital Access Admin, go to Manage System.

Click OATH Configuration.

Under the heading Database Connectivity, click Manage OATH Providers. Here you see the pre-defined providers (HOTP - event based one time password and TOTP - time based one time password). You cannot edit the pre-defined providers, only the new ones that you add. The SHA256 and SHA512 are different used algorithms.

• Nexus Smart ID Mobile supports SHA256 and SHA512 with iOS and Android.

• Nexus Smart ID Mobile also supports fingerprint authentication and face recognition (on iOS).

Click Manage System > Authentication Methods > Add Authentication Method...

Select Nexus OATH and click Next.

Enter a Display Name. Check Enable authentication method and Visible in authentication menu.

Select a pre-defined provider from the OATH Provider drop-down list, for example, for Google Authenticator with HOTP select Predefined_Hotp_HmacSHA1.
The email sent to the user can be configured to mention what OATH-compliant app that shall be used, for example, Google Authenticator. For more information about how to change email messages, go here: Change provisioning messages in Digital Access.

Select if you want to use Two Factor Authentication and if so, if you want to use one or two fields for entering password and OTP.

• One screen: Password and OTP are entered in the same screen. In case of Active directory users, the OTP will be validated first and if the OTP is valid, the password will be validated. This avoids the AD account from easily getting locked.

• Two screens: Separate input fields are used, one to enter <password> and one to enter <otp>.

Click Add Authentication Method Server... and make any settings.

Click Next.

Click Next until the Wizard is finished.

Click Finish.

Click Publish.

In Digital Access Admin, go to Manage Accounts and Storage.

Click User Accounts. Search for the user that you shall enable Google Authenticator for, or add a new user account, see Add user account in Digital Access.

If you are updating an existing user account, click Edit User Account and select the Authentication tab.

Select Enable OATH for the user account.

Under Notification Settings, enter email address or SMS (how you want to send the notification). If an Active Directory is connected, the information is added automatically from the user id in the Active Directory. If not, enter the values manually.

Click Next.

The Token ID field is out-grayed since this is not a hardware token.

Select Provider from the drop-down list and select Status active. Select a predefined provider where an authentication method exists.

If you have chosen Two Factor Authentication, enter a password that the user shall use and check any password properties.

Select Notification: By screen, by sms, by email and so on.

Click Next and Finish Wizard.

1. The text in green is "Notification by screen".

2. The email that is sent to the user contains a QR code. The user shall download the OATH-compliant app and use the app to scan the code. In case of Smart ID desktop app, the user need to enter the activation URL instead of scanning QR code.

In Digital Access Admin, go to Manage Accounts and Storage.

Click Self Service and select the OATH Profile Provisioning tab.

Check Enable OATH Profile Self Service Provisioning.

Enable the Notification Channels: email, SMS, QR code.

You can customize the notification message. To see all options for the message, click the ?-sign. Change "OATH Authentication" in the mail message to a text that informs the user about the method to use, what app to download and other relevant information.

Click Save.

Click Publish.