ForgeRock Developer Experience

Integrate MFA using OATH one-time passwords

Applies to:

  • ForgeRock SDK for Android

  • ForgeRock SDK for iOS

  • ForgeRock SDK for JavaScript

This topic explains how to integrate support for OATH one-time passwords into your projects that use the ForgeRock Authenticator module.


To integrate OATH one-time passwords into your application that uses the ForgeRock Authenticator module, ensure you have completed the following tasks first:

  1. Configure your ForgeRock server to request a one-time password during the authentication journey.

  2. Integrate the ForgeRock Authenticator module into your app.

  3. Start the ForgeRock Authenticator module in your app.

Sample apps

You can find example source code for integrating one-time passwords in the sample authenticator application repositories on GitHub:

Step 1. Register your app

The first time you authenticate you are asked to register a device by scanning a QR code.

Your application must implement a QR code scanning mechanism. The QR code contains the URI used for registering the device, although you could also offer a method for entering the URI manually.

After obtaining the URI, register the authentication mechanism in your app:

  • Android

  • iOS

Register the OATH mechanism by implementing the FRAClient.createMechanismFromUri() method, and use FRAListener to receive the newly created mechanism:

fraClient.createMechanismFromUri("qrcode_scan_result", new FRAListener<Mechanism>() {

    public void onSuccess(Mechanism mechanism) {
        // called when device enrollment was successful.

    public void onFailure(final MechanismCreationException e) {
        // called when device enrollment has failed.
guard let fraClient = FRAClient.shared else {
    print("FRAuthenticator SDK is not initialized")

fraClient.createMechanismFromUri(uri: url, onSuccess: { (mechanism) in
    // Method call occurs when device enrollment is successful.
}, onError: { (error) in
    // Method call occurs when device enrollment fails.

Step 2. Generate one-time passwords

With the OATH mechanisms now registered, your app can obtain the current, and next tokens, as an OathTokenCode object:

  • Android

  • iOS

OathTokenCode token = oath.getOathTokenCode();
String otp = token.getCurrentCode();
do {
    // Generate OathTokenCode
    let code = try mechanism.generateCode()
    // Update UI with generated code
    codeLabel?.text = code.code
} catch {
    // Handle errors for generating OATH code

More information

Refer to the following links for information on some of the interfaces and objects used in this topic:

Android iOS





Copyright © 2010-2024 ForgeRock, all rights reserved.