One-Time Password Authentication Security Guide

One-time password (OTP) authentication allows you to log on to systems using Secure Login Client, or using identity provider or web applications running on AS Java. Before you configure OTP authentication with any of those systems, you should familiarize yourself with the security requirements of the system you are using in your landscape.

• For security information about a system running on AS Java, see SAP NetWeaver Application Server Java Security Guide

• For security information about a system using Secure Login, see Secure Login Security Guide

With the One-Time Password Administration UI, you can manage user accounts in order to solve various security issues. For more information, see Managing User Accounts.

When you configure user authentication, you should consider the following security recommendations:

• Configure two-factor authentication if your scenario allows it.

  We recommend using two-factor authentication when possible, as this requires the user to provide two authentication factors: something the user knows (a password for example), and something the user has (a mobile device that generates a passcode). For more information, see Configuring Two-Factor Authentication.

• If you use single-factor authentication, configure the application to require two distinct passcodes.

  We recommend this option as the best protection against malicious attacks. For more information, see Configuring Single-Factor Authentication.

• If you use single-factor authentication, configure the application to require user confirmation during automatic logon.

• Configure the OTP-related logon application if your scenario allows it.

  We recommend the OTP-related logon application, as it protects against XSRF and session fixation attacks. For more information, see Configuring an OTP-Related Logon Application.

To use OTP-related tools, users and administrators need specific roles assigned in SAP NetWeaver Administrator. We recommend only assigning these roles to the required groups, roles, or users. These assignments are not configured by default. For more information, see One-Time Password Authentication Administration Guide.

• Digest Algorithm

  We recommend using the most secure password generation algorithm for your scenario, such as SHA-512. For more information, see Additional Settings.

• Passcode length

  We recommend using 8-digit passcodes. For more information, see Additional Settings.

• Account locking

  Use a minimum number of usable logon attempts before an account is locked in order to balance security and usability. For more information, see Additional Settings.

• Secret key expiration period

  Set a reasonable expiration period for the secret key. We recommend 365 days. For more information, see Additional Settings.

• Remember client (persistent cookie) option

  If you enable this option in the One-Time Password Administration UI, we recommend using the default HTTP only and Secure attributes for the cookie.

• XSRF protection

  XSRF protection is enabled by default for the TOTPLoginModule. We recommend not disabling it with the tfa.enable.xsrf.protection option. For more information, see One-Time Password Login Module Options.

We recommend configuring the system using OTP authentication to be accessed through HTTPS.

• If your system uses AS Java, check the security logs and audit logs from SAP NetWeaver Administrator. For more information, see Logging and Tracing.

• If your system uses Secure Login Client, check the client trace. For more information, see Tracing Secure Login Client.