TOTP Authentication

    Note: TOTP Authentication is an Advanced Authenticator available as part of the Professional edition of ADSelfService Plus.

    TOTP (Time-based One-time Password) Authentication requires users to enter a time-sensitive verification code generated by the ADSelfService Plus mobile app to prove their identity. The code refreshes at regular intervals and can only be used once, making it resistant to replay attacks.

    How it works

    When a user reaches the TOTP Authentication step, ADSelfService Plus prompts them to enter the current TOTP code displayed in the ADSelfService Plus mobile app on their enrolled device. The server validates the code against the time-based algorithm, and authentication completes if the code matches. Because enrollment is device-based, users who switch to a new device must re-enroll.

    Prerequisites

    • The Professional edition of ADSelfService Plus is required.
    • You must have administrator access to the ADSelfService Plus portal.
    • At least one self-service policy must be configured before enabling this authenticator.
    • Users must have the ADSelfService Plus mobile app installed on their device — available on the App Store (iOS) and Play Store (Android).

    Limitations

    Note:
    • Only the ADSelfService Plus mobile app can be used for TOTP Authentication — third-party authenticator apps are not supported.
    • This is a device-based enrollment — if a user installs the ADSelfService Plus app on a new device, they must re-enroll.
    • TOTP Authentication cannot be used when users perform application logins, password resets, or account unlocks from the ADSelfService Plus mobile site or mobile app.

    Configuration instructions

    The navigation path to the Multi-factor Authentication page differs slightly between AD and Entra ID deployments.

    • Active Directory: Go to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
    • Entra ID: Select Microsoft Entra ID from the directory drop-down at the top-left, then go to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.

    Then:

    1. From the Choose the Policy drop-down, select the policy you want to configure.
    2. Click the TOTP Authentication section to expand it.
    3. Select Enable Time-based One-time Password Authentication.

      TOTP Authentication section expanded in the Multi-factor Authentication Authenticators Setup page for Active Directory users in ADSelfService Plus

    Tips

    • Because TOTP Authentication is device-based and limited to the ADSelfService Plus mobile app, ensure users are aware that third-party apps such as Google Authenticator or Microsoft Authenticator cannot be used. Include this in any end-user onboarding communications to avoid enrollment confusion.
    • Pair TOTP Authentication with a fallback authenticator such as Email Verification for users who may change devices frequently, so they are not left without a way to authenticate while waiting to re-enroll on their new device.
    • If TOTP is set as a mandatory authenticator in the policy, use the MFA Enrollment tab (Entra ID) or the Enrolled Users Report (AD) to identify users who have not yet enrolled and follow up before the policy takes effect.