Skip to content

Configuring TOTP Authenticator

The TOTP authenticator allows you to authenticate a user using Time-Based One Time Password (TOTP) through WSO2 Identity Server. It uses the TOTP specification to calculate the access tokens based on the time and the shared secret key between the user and the identity provider.

TOTP is an algorithm-generated temporary passcode that is used for strong authentication. The algorithm that generates each passcode uses the current time of day as one of its factors, ensuring that each password is unique.


  • For more information about TOTP specification, click here.
  • For information on MFA concepts, see About MFA.

Before You begin

  1. Download the WSO2 Identity Server from here and run it.

  2. Sign in to the Management Console by entering your username and password.

If you have migrated from older version of WSO2 Identity Server
  1. Under the WSO2 local claim dialect, check whether the claim exists.
  2. Unless, in the Main menu, click Add under Claims .
  3. Click Add Local Claim . This displays the Add Local Claim screen.
  4. Specify the following claim details in the appropriate fields:
Claim URI
Display Name Secret Key
Description Claim to store the secret key
Mapped Attribute totpSecretkey
if you are using a LDAP or AD, set a proper attribute for this.

Deploying sample application

You need to deploy and configure sample application to try out the TOTP authenticator. See deploy the sample application for more information on configuring travelocity application.

Configuring the service provider

The next step is to configure the service provider.

  1. In the previous section of this guide you have deployed and registered the webapp. Let's edit the same service provider to configure totp as an additional authentication factor.

  2. Locate the "" service provider and navigate to the Local and Outbound Authentication Configuration section.

    1. Select the Advanced configuration radio button option.

    2. To create the first authentication step:

      1. Click Add Authentication Step.

      2. Click Add Authenticator that is under Local Authenticators of Step 1 to add the basic authentication as the first step.
        Adding basic authentication as a first step ensures that the first step of authentication will be done using the user's credentials that are configured with the WSO2 Identity Server

    3. To create the second authentication step:

      1. Click Add Authentication Step.

      2. Click Add Authenticator that is under Local Authenticators of Step 2 to add the totp from the drop down as the second step.

Now `totp' is a second step that adds another layer of authentication and security during the authentication for this application.

Configuring the user profile

Now you have to register for the TOTP authentication from your user profile.

  1. Login to the end user dashboard and go to My Profile by clicking View details .
  2. Update your email address (this email address is used to send the token).
  3. To enable TOTP, select the Enable TOTP check box.
  4. You can use the Google Authenticator Application to generate the one-time passwords (tokens), click on Scan QR Code to scan the QR-Code using the Google Authenticator mobile app.

Testing the sample

  1. To test the sample, go to the following URL: http://<TOMCAT_HOST>:<TOMCAT_PORT>/ For example, this looks like http://localhost:8080/

  2. Click the link to log in with SAML from the WSO2 Identity Server.

  3. The basic authentication page is visible. Use your username and password to log in.
  4. If the TOTP is not enabled the user's profile and the user is allowed to enable the TOTP in the authentication flow, this page will appear. You can scan either continue or cancel.
  5. You may enroll the user by clicking on the link to show the QR code. Scan the displayed QR code using the mobile application and continue.

    Click here to view QR-Code display page


    Now you are redirected to the TOTP authentication page.

  6. Enter the verification code from your Google Authenticator Mobile Application to authenticate.


    Alternatively, you can generate the verification code by clicking on Get a Verification Code and use the code that is sent to your email address. See send email with totp for more details on how to configure email sending.

  7. If your verification is successful, you are taken to the home page of the application.

Refreshing the secret key

You can refresh the secret key by selecting the Refresh Secret Key check box in the My Profile gadget in the dashboard. However, you must re-scan the QR code to sync the new secret key with your Google Authenticator mobile application.


Advanced Configurations of TOTP authenticator

Disable TOTP

In WSO2 Identity Server 5.9.0 version, TOTP authenticator is enabled by default.

You can disable the TOTP authenticator by adding folowing configuration to the deployment.toml file in the <IS_HOME>/repository/conf folder.


TOTP Configuration Properties

You may configure any of the following parameters to change the behaviour of the TOTP authenticator according to your requirements.

The following table describes the definition of the parameters and the various values you can configure for the authenticator.

Feild Description
usecase This field can take one of the following values: local, association, userAttribute, subjectUri. If you do not specify any usecase, the default value is local.
If you have chosen userAttribute as the usecase, add the following parmeter to specify the user attribute.
    userAttribute = ""
encodingMethod The encoding method which is used to generate the TOTP.
authenticationMandatory If this value is true, the TOTP authentication will be enforced as a second step.
timeStepSize The time step size, which is used to validate the TOTP.
windowSize The window size, which is used to validate the TOTP.
enrolUserInAuthenticationFlow If this value is true, it will ask the user to enable the TOTP authenticator in the authentication flow.
secondaryUserstore The user store configuration is maintained per tenant as comma separated values. For example, secondaryUserstore = "jdbc, abc, xyz"
TOTPAuthenticationEndpointURL This is the endpoint of the UI which is used to gather the TOTP.
TOTPAuthenticationEndpointErrorPage This is the endpoint of the error page.
TOTPAuthenticationEndpointEnableTOTPPage This is the endpoint of the TOTPauthenticator enrollment page.
Issuer This is the issuer name which will be shown the Mobile Application. If not configured, tenant domain will be shown.
UseCommonIssuer If true, the issuer name defined in deployment.toml will be used as the issuer for all the tenants.

You can configure any of the above as following in the <IS_HOME>/repository/conf/deployment.toml file.

<Property-name> = <Property-value> 

Sample configurations of the authenticator with default Values



You may choose to configure any of the above property in the <IS_HOME>/repository/conf/deployment.toml file according to your requirements. If you do not configure any of the property from the <IS_HOME>/repository/conf/deployment.toml, the server will take the default values to the consideration

To enable scanning QR code during authentication flow

An admin can activate the feature to enable the TOTP authenticator in the authentication flow by changing the enrolUserInAuthenticationFlow values ( true or false ).

  1. If you specify that the user can enable TOTP in the authentication flow enrolUserInAuthenticationFlow=true and TOTP is not registered for the user's profile, you will be asked to enable TOTP in the in the authentication flow. If you don't enable it at this stage, the TOTP error page appears.
  2. If you specify that the user can't enable TOTP in the authentication flow enrolUserInAuthenticationFlow=false and TOTP is not registered for the user's profile , the TOTP error page appears during the authentication flow.

TOTP for secondary user stores

If you use the secondary user store, enter all the user store values for the particular tenant as comma separated values. Make this configuration change in the <IS_HOME>/repository/conf/deployment.toml file.

secondaryUserstore= "jdbc, abc, xyz"


The user store configuration is maintained per tenant" If you works only in super tenant, mode put all the above parameter values (mentioned in step 4) into the <IS_HOME>/repository/conf/deployment.toml file.

If you use a tenant, upload the XML file found in<IS_HOME>/repository/conf/identity/application-authentication.xml into a specific registry location ( /_system/governance/totp).

  1. Sign in to the Management Console as a tenant administrator.
  2. Create the collection named totp under /_system/governance/
  3. Add a new resource at /_system/governance/totp and upload the application-authentication.xml file into the registry location.
  4. Change the relevant properties under <AuthenticatorConfig name="totp" enabled="true"> tag.


While doing the authentication, first server checks whether there is an XML file uploaded to the registry. If that is so, server reads it from the registry but does not take the local file. If there is no file in the registry, then it only takes the property values from the local file. This is how the user store configuration is maintained per tenant. You can use the registry or local file to get the property values.

Obtaining the QR code without using the end user dashboard

If you need to obtain the QR code without using the end user dashboard, you can call the REST API or call the Admin Service(SOAP) that does this.


See the swagger documentation for the TOTP REST API here to understand how to obtain TOTO related information via the API.

Using Admin Services

Prior to the REST APIs, WSO2 Identity Server exposed its TOTP functionality via a SOAP API. The following is the Admin Service used to obtain the QR code.



Read more about calling admin services here

  1. The QR code URL can be retrieved using the initTOTP method in the TOTPAdminService .


    The following is a sample cURL command that invokes the TOTPAdminService.

    curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization:Basic YWRtaW46YWRtaW4=' https://localhost:9443/services/TOTPAdminService/initTOTP -k -d 'username=testuser@carbon.super'

    The following is a sample response that is obtained.

    <ns:initTOTPResponse xmlns:ns=""><ns:return>b3RwYXV0aDovL3RvdHAvY2FyYm9uLnN1cGVyOmR1c2hhbmk/c2VjcmV0PUJGR0RFUllPU1ZSR0s3&#xd;
  2. The Secret Key can be retrieved using the retrieveSecretKeymethod in the TOTPAdminService .


    The following is a sample cURL command that invokes the TOTPAdminService.

    curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded'  -H 'Authorization:Basic YWRtaW46YWRtaW4=' https://localhost:9443/services/TOTPAdminService/retrieveSecretKey -k -d 'username=testuser@carbon.super'

    The following is a sample response that is obtained.

    <ns:retrieveSecretKeyResponse xmlns:ns=""><ns:return>4AAC2HEG7COGHQYI</ns:return></ns:retrieveSecretKeyResponse>

Send email with TOTP

Additionally, users may receive an email consisting the TOTP code during the authentication flow.

  • Enable the email sending configurations of the WSO2 Identity Server as explained here


    The email template used to send this email notification is the TOTP template.

    You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.

    Please note that you must include {{token}} in the email body as a placeholder for the token generated during the authentication flow.