Why are the OATH OTP codes for the Centrify tenant the same as the codes for the Idaptive tenant for existing users but different for new users after the tenant split?
The reason the codes are the same between the Centrify tenant and the Idaptive tenant is a result of the data port during the split. When the joint tenant was split, existing OATH profile records were copied from the joint tenant to both the Centrify tenant and the Idaptive tenant. OATH authenticators need a shared 'secret key' from the server, so the server can ensure that the code provided by the authenticator is correct. These 'shared keys' are one of the data elements that were copied with the data port.
When a user chooses to set up an OATH token via the OATH OTP Client, the tenant checks to see if the user has a pre-existing oath profile.
- If an OATH profile already exists, a QR code is displayed allowing authenticators to use this existing profile (this allows a user to install the profile into multiple devices, say a work phone and a personal phone). When the QR code is scanned, the existing 'secret key' is installed within the authenticator.
- If no OATH profile exists, a new profile is generated with a (random) 'secret key' and presented to the user (via the 'new' QR code). When the QR code is scanned, the new 'secret key' is installed within the authenticator.
Hence, in this case, users (with an OATH profile) that were copied from the joint tenant to the Centrify tenant and Idaptive tenant ended up with OATH profiles that have the same 'secret key' in both tenants, so authenticators will show the same code, but new users have different 'secret keys' in the respective tenants and correspondingly different codes.