PRPC Access with MFA Authentication (TOTP) with Third party App

R_K · February 11, 2025, 7:32am

I would like to implement a Third party Time Based One Time Password authentication Mechanism.

I followed documentation but this only get the user to email/SMS (phone number) but there is no documentation about TOTP related. Can someone suggest how this can be achieved.

scenario :

When user tries to login to application - he/she needs to authenticate himself by entering the Secured OTP available on third party app (In my case third part app is MS Authenticator) else approve on the Push notification he/she gets on screen

MarijeSchillern · February 27, 2025, 1:44pm

@R K This is a GenAI-powered tool. All generated answers require validation against the provided references.

The standard documentation primarily covers email/SMS methods for MFA, but not TOTP with third-party authenticator apps.

After researching this topic, I can provide you with a solution approach for implementing TOTP-based authentication with Microsoft Authenticator in Pega. This will require creating a custom authentication service, as Pega doesn’t provide built-in support for third-party authenticator apps out-of-the-box.

Understanding the Limitation

The standard MFA implementation in Pega currently only supports sending OTPs through email and SMS channels. As confirmed by the Pega product engineering team (referenced in the support discussion you linked), when using custom authentication services, you need to build the MFA functionality yourself within the authentication activity.

Implementation Approach for TOTP with Microsoft Authenticator

Here’s a step-by-step approach to implement TOTP authentication with MS Authenticator:

1. Create a Custom Authentication Service

Start by creating a Custom Authentication Service rule:

Navigate to App Studio > Security > Authentication > Authentication Service
Create a new Authentication Service and select Custom as the type
Define an authentication activity that will handle the TOTP verification process

2. Implement TOTP Algorithm

You’ll need to implement the TOTP algorithm according to RFC 6238 standards. This can be done by:

Creating a Java class in your application that implements the TOTP algorithm
Using an open-source TOTP library that can be imported into your application

Here’s a simplified example of what a Java implementation might look like:

// Import necessary libraries

import org.apache.commons.codec.binary.Base32;

import javax.crypto.Mac;

import javax.crypto.spec.SecretKeySpec;

import java.security.InvalidKeyException;

import java.security.NoSuchAlgorithmException;

import java.nio.ByteBuffer;

public class TOTPGenerator {

    private static final int SECRET_SIZE = 10;

    private static final String CRYPTO_ALGORITHM = "HmacSHA1";

    private static final int CODE_DIGITS = 6;

    private static final int INTERVAL_SECONDS = 30;

    public static String generateTOTP(String secretKey, long timeCounter)

        throws NoSuchAlgorithmException, InvalidKeyException {

        Base32 base32 = new Base32();

        byte[] key = base32.decode(secretKey);

        byte[] data = ByteBuffer.allocate(8).putLong(timeCounter).array();

        Mac mac = Mac.getInstance(CRYPTO_ALGORITHM);

        mac.init(new SecretKeySpec(key, CRYPTO_ALGORITHM));

        byte[] hash = mac.doFinal(data);

        // Extract a 4-byte dynamic binary code from the hash

        int offset = hash[hash.length - 1] & 0xf;

        int binary = ((hash[offset] & 0x7f) << 24) |

                     ((hash[offset + 1] & 0xff) << 16) |

                     ((hash[offset + 2] & 0xff) << 8) |

                     (hash[offset + 3] & 0xff);

        int otp = binary % (int) Math.pow(10, CODE_DIGITS);

        return String.format("%0" + CODE_DIGITS + "d", otp);

    // Other methods for key generation, etc.

3. User Enrollment Process

You’ll need to create a process to enroll users for TOTP authentication:

Generate a unique secret key for each user
Store this secret key securely in your user database
Generate a QR code that contains the secret key and other information (like app name)
Display the QR code to the user for scanning with Microsoft Authenticator

4. Implement the Authentication Flow

Modify your login flow to incorporate TOTP verification:

After username/password validation, check if the user has TOTP enabled
If enabled, prompt the user to enter the 6-digit code from their authenticator app
Generate the expected TOTP code using the stored secret key
Compare the user-entered code with the generated code (considering time drift)
Allow login only if the codes match

5. Handle Push Notifications (Optional)

For the push notification approach mentioned in your scenario:

Microsoft Authenticator supports push notifications through the Microsoft Identity platform
This would require integration with Azure AD or Microsoft Entra ID
You would need to implement the Microsoft Authentication Library (MSAL) in your application

Code Example for Verification

Here’s a simplified example of how verification might work in your authentication activity:

public Boolean verifyTOTP(String userEnteredCode, String userSecretKey) {

    try {

        // Get the current time interval

        long currentInterval = System.currentTimeMillis() / 1000 / 30;

        // Generate expected TOTP codes (check current and adjacent intervals for time drift)

        String expectedCode = TOTPGenerator.generateTOTP(userSecretKey, currentInterval);

        String expectedCodePrev = TOTPGenerator.generateTOTP(userSecretKey, currentInterval - 1);

        String expectedCodeNext = TOTPGenerator.generateTOTP(userSecretKey, currentInterval + 1);

        // Compare with user-entered code

        return userEnteredCode.equals(expectedCode) ||

               userEnteredCode.equals(expectedCodePrev) ||

               userEnteredCode.equals(expectedCodeNext);

    } catch (Exception e) {

        // Log error

        return false;

Security Considerations

Securely store the secret keys using encryption
Implement rate limiting to prevent brute-force attacks
Provide backup codes or alternative authentication methods for recovery
Consider adding additional security measures like IP validation

References:

Baig_Mohammad · May 13, 2025, 10:23am

@R K,Hi We are also looking for TOTP authenticator integration along with PEGA basic authentication, if the issue got resolved can you please share the steps.

Conversation		Replies	Views
Multifactor Authentication (MFA) during Login General pega-platform , security , system-administration , 8-8-3	3	521	February 13, 2024
How to enable MFA(Multi-factor authentication ) in MPC General pega-cloud , legacy	2	54	July 11, 2025
MFA does not redirect to login portal when using external service to Send OTP General team-lead , security , communications-and-media , 8-6-6	2	70	March 27, 2024
OTP Verification and Secure API General pega-platform , platform , pega-academy	1	43	July 10, 2025
Authentication Profile with Single Signon General pega-platform , senior-system-architect , data-integration , insurance , 8-8 , 8-8-2 , dev-designer-studio	1	229	September 23, 2024