[CA Mobile OTP Roaming flow in CA Adapter] Can I re-download the AOTP account in another device?


Article ID: 103780


Updated On:


CA Advanced Authentication CA Strong Authentication CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)


Can I re-download the CA Mobile OTP credential in another device?


CA Strong Authentication - CA Mobile OTP (also known as Arcot OTP or AOTP)


What is Roaming flow of ArcotID OTP?

The Advanced Authentication service offers roaming capabilities to enable end users to download their ArcotID OTP securely and authenticate from any system when the need arises. Roaming users who do not have the ArcotID OTP application or JavaScript Client on their device can set up a different device to retrieve their ArcotID OTP credential from the Advanced Authentication service. The downloaded ArcotID OTP can then be used to authenticate to any protected resource in a browser.

To enable roaming, one or more secondary authentication mechanisms must be configured for the user during enrollment. At runtime, if secondary authentication is successful, the ArcotID OTP credential is downloaded to the end user's device.

If Security Code is used for secondary authentication, during enrollment the end user is prompted to provide additional private information, which is composed of a series of user-defined question and answer pairs. Similarly, if security code is used for secondary authentication, during enrollment the end user is prompted to provide an email address or telephone number to which the security code must be sent. At runtime, an end user who tries to download the ArcotID OTP from a different device is first authenticated using the questions and answers or the security code that they received as an email message, SMS, or voice message.

Where is the AOTP re-download link available in out-of-box CA Adapter (arcotafm)?
In AOTP verification page (where user required to enter OTP) there are links for "Forgot CA Mobile OTP PIN?" or "Download AOTP card on different device". User can reset Pin using the first option(Forgot CA Mobile OTP PIN?), this will recreate the AOTP account at the server end and the new one will be downloaded on the end user device. All existing AOTP accounts will not work any more. Using the second option(Download AOTP card on different device) a user can re-download the existing AOTP account to another device.

Why I don't see "Download AOTP card on different device" link in arcotafm verify OTP page?
The user can add same AOTP credential on multiple devices like Desktop and Mobile at the same time. This feature is only supported for TOTP (i.e. Roaming flow is only supported by TOTP), this is functionality is not supported for HOTP. Make sure you have below configured in your AOTP profile.

<Please see attached file for image>

TOTP configuration

HOTP = Counter based OTP
TOTP = Time based OTP


1558700407751000103780_sktwi1f5rjvs16k4e.jpeg get_app
1558700405626000103780_sktwi1f5rjvs16k4d.jpeg get_app