# Configuring TOTP To configure TOTP settings: 1. Specify the following: * **Display Name:** The default name here is TOTP. The name will appear on the registration dialog in Parallels Client in the following sentence: "Install TOTP app on your iOS or Android device". If you change the name, the sentence will contain the name you specify, such as "Install \ app on your iOS or Android device". * **User Prompt:** Specify the text that the user will see when prompted with an OTP dialog. * **Account name in authenticator:** By default, the Site and Farm names are shown. Alternatively, you can choose to display the Display Name or the Theme Name instead. This helps end users clearly identify which environment they’re working in—especially when they have access to multiple environments.\ \ On the next page of the wizard, specify: * The **User enrollment** section allows you to limit user enrollment if needed. You can allow all users to enroll without limitations (the **Allow** option), allow enrollment until the specified date and time (**Allow until**), or completely disable enrollment (the **Do not allow** option). If enrollment is disabled due to an expired time frame or because the **Do not allow option** is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google Authenticator or other TOTP providers can still be used, but with added security, which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials from enrolling in MFA. * **Show information to unenrolled users**: Select whether unenrolled users can see the **The user name or password is incorrect** error when they enter incorrect credentials: * **Never (most secure)**: Unenrolled users see a TOTP prompt instead of the error. * **If enrollment is allowed:** Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt. * **Always**: Unenrolled users always see the error. * The **Authentication** section allows you to configure TOTP tolerance. When using Time-based One-Time Password (TOTP), it is required to have the time synchronized between the RAS Connection Broker and client devices. The synchronization must be performed against a global NTP server (e.g., `time.google.com`). Using the **TOTP tolerance** drop-down list, you can select a time difference that should be tolerated while performing authentication. Expand the drop-down list and select one of the predefined values (number of seconds). \ \ [**Note**: Changing time tolerance should be used with caution, as it has security implications since the time validity of a security token can be increased, thus creating a wider time window for potential misuse.](#user-content-fn-1)[^1]\ \ [**Note:** When using TOTP providers, it is required to have both Connection Brokers and client devices time synchronized with a global NTP server (e.g., `time.google.com`). Adding TOTP tolerance increases the one-time password validity, which might have security implications.](#user-content-fn-1)[^1] * The **Reset User(s)** field in the **User management** section is used to reset the token that a user receives when they log in to Parallels RAS for the first time using the TOTP provider. If you reset a user, they'll have to go through the registration procedure again (for instructions on doing this for Google Authenticator, see [**Using Google Authenticator in Parallels Client**)](https://docs.parallels.com/landing/ras-admin-guide/parallels-ras-21-administrators-guide/connection-and-authentication-settings/multi-factor-authentication/using-totp/configuring-google-authenticator). You can search for specific users, reset all users, or import the list of users from a CSV file. 2. Click **Finish**. Please also note that the TOTP available time is calculated as the default 30 seconds + x amount of seconds in the past + x amount of seconds in the future. [^1]: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.parallels.com/landing/ras-admin-guide/parallels-ras-21-administrators-guide/connection-and-authentication-settings/multi-factor-authentication/using-totp/configuring-totp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.