Display a one-time password on the Home screen

Mobile Authenticator Studio displays a one-time password (OTP) for a single or multiple user accounts on the device's Home screen. The user can copy the generated OTP for their user account to the clipboard and paste it into another app.

The way how Mobile Authenticator Studio generates and displays OTPs is governed by the number of activated accounts and number of actions, and if app protection is enabled. For more details, see Generate and display OTP with one or multiple accounts and Generate and display OTP on unprotected and protected apps.

For security reasons, there are also certain limitations for displaying one-time-passwords. For more details, see Limitations for the display of an OTP on a device Home screen.

Generate and display OTP with one or multiple accounts

Single account

If one single account is activated and one single action, Display OTP, is enabled in the customization, the Mobile Authenticator Studio app automatically generates an OTP. This needs to be validated on the server, as the OTP will be used outside of the Mobile Authenticator Studio app. When the user restarts the app, another OTP is automatically generated (and validated on the server), and displayed on the Home screen.

If one single account is activated and multiple actions like Pending Request, Scan Code, and Display OTP are enabled, the OTP is not generated automatically after the account activation. The user must initialize OTP generation, which, after validation on the server, can be copied and used.

If a single account is activated, the Home screen displays the possible actions for that user account and the Home screen does not display the account selector button.

Multiple accounts

When more than one account is activated and one single action is enabled, an OTP is generated and validated on the server separately for each of the accounts. When the app is restarted, the OTP for the first activated account is automatically generate and displayed on the Home screen. After the user switches to the next account, a new OTP is generated, validated, and displayed.

When more than one user account is activated and multiple actions are enabled, the OTP is not generated automatically. The account selector button in the Home screen displays the currently active user. By default, this is the first account from the account list. By tapping on this button, the user can view a list of all activated accounts and select one.

When renaming a user account, the new name is displayed on the account selector button. When an account is removed but two or more accounts are still activated, the text on the account selector button is changed and displays the new first name of the account list.

When the app is moved to the background, the last account before this action is regarded as the default user account. When the app is moved back to the foreground, the app displays the account that was selected before the app was moved. The same applies if the app is closed and opened again.

Generate and display OTP on unprotected and protected apps

If no protection is defined in the app customization, Mobile Authenticator Studio automatically generates and displays an OTP on the device's Home screen without prompting to user to authenticate.

If the app is protected (with a PIN code or biometry) and one user account is activated, the Authentication screen is displayed when the user opens the app and every time they tap the One-time Password button in the Home screen. If a single action is enabled, the app generates the OTP automatically and displays it on the Home screen.

If the protected app is used with more than one user accounts, the currently selected is prompted to authenticate and the OTP is generated for this user. The app always displays the OTP for default user, until a different account is selected via the Manage account screen. The user is prompted to authenticate for the selected account, and after successful authentication, an OTP is automatically generated for that user account and displayed on the Home screen.

When the current user has not migrated from Mobile Authenticator Studio 4.x, the user is not authenticated and no OTP is generated when the app is first launched.

Limitations for the display of an OTP on a device Home screen

In some situations, the Mobile Authenticator Studio app either correctly generates a false OTP and displays it, does not generate an OTP, or hides it for security reasons:

1. Authentication penalty.

   If the user fails to successfully authenticate three times, a PIN penalty is enforced. Mobile Authenticator Studio offers two different types of PIN penalty:

   • Generate incorrect OTP

     After three unsuccessful authentication attempts the user's account is locked and an incorrect OTP is generated which is not validated. The user must authenticate with a different method and can then generate a correct OTP. If biometric authentication failed, a correct OTP can be generated with PIN entry and vice versa.

   • Reset the authenticator secret.

     After three unsuccessful authentication attempts the user's account is locked and the app displays a message about the locked account. The user can reactive the account by scanning a QR code or Cronto image.

2. When the user taps the Cancel button in the authentication screen, Mobile Authenticator Studio does not generate an OTP, and the user must return to the Home screen. Also, if multiple actions are enabled and the authentication failed, the user is taken back to the Home screen with all actions still available.

3. Mobile Authenticator Studio hides the generated OTP in the following scenarios:

   • The generated OTP has expired

     After 60 seconds, a generated OTP expires and the OTP is hidden. The user is required to authenticate again and , tapping the Refresh button, can generate a new OTP.

   • The app is moved to the background, the user opens a new screen, or switches to another app.

   • The user locks the device screen

   • Another app pushes a notification

   • Mobile Authenticator Studio is being updated

   • The device enters Sleep mode

   • Digital device assistants are used

   The OTP is hidden even if the biometric authenticator is in progress. As the authentication is completed and valid, the 60-seconds timer is in progress but the OTP is hidden until the app is moved back to the foreground.