Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-29195: Why is the OATH OTP code for the Centrify tenant the same as the Idaptive tenant

Privileged Access Service ,  

24 March,20 at 04:36 PM

Question:

Why are the OATH OTP codes for the Centrify tenant the same as the codes for the Idaptive tenant for existing users but different for new users after the tenant split?

 

Answer:

The reason the codes are the same between the Centrify tenant and the Idaptive tenant is a result of the data port during the split. When the joint tenant was split, existing OATH profile records were copied from the joint tenant to both the Centrify tenant and the Idaptive tenant. OATH authenticators need a shared 'secret key' from the server, so the server can ensure that the code provided by the authenticator is correct. These 'shared keys' are one of the data elements that were copied with the data port.
 

When a user chooses to set up an OATH token via the OATH OTP Client, the tenant checks to see if the user has a pre-existing oath profile. 

  1. If an OATH profile already exists, a QR code is displayed allowing authenticators to use this existing profile (this allows a user to install the profile into multiple devices, say a work phone and a personal phone). When the QR code is scanned, the existing 'secret key' is installed within the authenticator.
  2. If no OATH profile exists, a new profile is generated with a (random) 'secret key' and presented to the user (via the 'new' QR code). When the QR code is scanned, the new 'secret key' is installed within the authenticator.
 

Hence, in this case, users (with an OATH profile) that were copied from the joint tenant to the Centrify tenant and Idaptive tenant ended up with OATH profiles that have the same 'secret key' in both tenants, so authenticators will show the same code, but new users have different 'secret keys' in the respective tenants and correspondingly different codes.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.