FMoP TOTP MCF Plugin
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Introduction

What is it

TOTP is an MCF plugin implementing Time base One Time Password (TOTP) authentication as per RFC 6238 in Fraud Manager 7.4 or newer. It is a convenient method to implement 2 Factor Authentication (2FA) with FMoP without requiring any additional infrastructure or development:

  • No authentication server required, the server side data will be stored FMoP’s database, as metadate of the MCF plugin.
  • No need to develop an end-user application. End users can use existing authentication application, which are likely have already been installed on their devices.

Once the MCF plugin is deployed in FMoP, it will allow to challenge end-users with a time based OTP generated on their devices.

Pre-requisites

The MCF plugin is to be deployed in FMoP 7.4.1 or newer.

High Level Workflows

Enrolment

As a first step a customer will need to install on their mobile device (if not installed already) an application that suspports TOTP authentication.

Commonly used applications are:

Microsoft Authenticator

Google Authenticator

Once a user has installed the application, enrolment in the TOTP authentication method will occur by invoking FMoP’s updateUser() method.

In the response payload, a QR code similar to this one will be returned. The QR code will need to be displayed by the web browser so that it can be scanned using the mobile application:

Enrolment QR code example
Enrolment QR code example

Once imported, the mobile application will show the newly added TOTP account as shown in this picture (Microsoft Authenticator Android, very last account in list):

OTP App Image
OTP App Image

The customer is now ready to be authenticated using the codes generated by his the authenticator application installed on his phone.

Authentication

When a user is challenged, the web or mobile application will prompt to enter the OTP generated by the mobile app. The customer will need to open the mobile application and generate an OTP. Once entered, the OTP will be sent to FMoP for verification. If correct, a success response will be returned and the customer will be allowed to continue with the activity.

In order to obtain the OTP, the user will need to unlock his phone and, depending on setting, the mobile application that will generate the OTP. Once unlocked, the OTP will be displayed as shown in the screenshot below.

OTP Code Image
OTP Code Image