---
title: Configuring OATH token authentication for PingID
description: An OATH token is a secure one-time passcode (OTP) that can be used for two-factor authentication and is OATH compliant.
component: pingid
page_id: pingid:pingid_service_management:cxe1564020450447
canonical_url: http://docs.pingidentity.com/pingid/pingid_service_management/cxe1564020450447.html
revdate: December 26, 2023
section_ids:
  configuring-oath-token-authentication: Configuring OATH token authentication
  before-you-begin: Before you begin
  steps: Steps
  result: Result:
  result-2: Result:
  result-3: Result:
  example: Example:
  result-4: Result:
  example-2: Example:
  result-5: Result:
  result-6: Result:
  troubleshooting: Troubleshooting
---

# Configuring OATH token authentication for PingID

An OATH token is a secure one-time passcode (OTP) that can be used for two-factor authentication and is OATH compliant.

Hardware OATH tokens are used where there are no provisions for connection to the Internet, USB connections, or mobile phones, which might be disallowed for security reasons. For more information, see <https://openauthentication.org/>.

PingID supports hardware OTP tokens that are OATH compliant:

* HOTP SHA-1 devices

* TOTP SHA-1 devices with 30 or 60 second OTP refresh intervals

* Any of the above devices that use a PIN code

PingID does not:

* Sell hardware tokens

* Recommend any particular hardware token manufacturer

The following OATH tokens have been checked for user authentication by PingID.

| Manufacturer | Model             | Type        |
| ------------ | ----------------- | ----------- |
| Feitian      | Display card      | TOTP-60-sec |
| Feitian      | OTP c200          | TOTP-60-sec |
| Feitian      | Display card      | HOTP        |
| Gemalto      | EZIO display card | TOTP-30sec  |
| HyperSecu    | c100 token        | HOTP        |
| HyperSecu    | Edge plus         | TOTP-60sec  |
| HyperSecu    | c200 token        | TOTP-30sec  |
| HyperSecu    | HyperOTP          | TOTP-60sec  |
| HyperSecu    | Edge plus         | TOTP-30 sec |
| Protectimus  | Protectimus TWO   | TOTP-30sec  |

For information about the user registration, see the [PingID End User Guide](http://docs.pingidentity.com/pingid-user-guide/). NOTE: In the event of three consecutive failed authentication attempts with an OATH token, the user will have to wait two minutes before trying to authenticate again.

## Configuring OATH token authentication

### Before you begin

To configure OATH tokens, you must have the following items from each token manufacturer and for each supplied token model:

* A token seed file. The seed file can be either:

  * A .txt file consisting of lines with a comma separating the token serial numbers and secret keys (without spaces)

  * A .csv file with the token serial numbers and secret keys in different cells (without spaces or commas)

  The secret keys are strings of hexadecimal digits.

* For each seed file, a single associated token type of either TOTP or HOTP.

* For TOTP types, a refresh interval of 30 or 60 seconds. The default is 30.

|   |                                                                                                                       |
| - | --------------------------------------------------------------------------------------------------------------------- |
|   | For HOTP types, a start counter can appended as an additional field in the seed file. If absent, it defaults to zero. |

### Steps

1. In the PingOne admin portal, go to **Setup → PingID → Configuration**.

2. Go to the **Alternate Authentication Methods** section.

   ![A screen capture of the Alternate Authentication Methods section.](_images/vkb1564020562147.png)

3. In the **Enable** column, select the **OATH Token** check box.

   #### Result:

   The **Manage OATH Tokens** modal opens.

   ![A screen capture of the Manage Oath Tokens window.](_images/gge1564021281972.png)

4. Click **Save & Manage Tokens**.

   #### Result:

   The **OATH Tokens** tab opens and shows a list of previously saved tokens.

   |   |                                                       |
   | - | ----------------------------------------------------- |
   |   | If there are no saved tokens, the list will be empty. |

   ![A screen capture of the OATH Tokens tab.](_images/trp1564021282675.png)

5. Click **[icon: plus, set=fa]Import Tokens**.

   #### Result:

   The **Import OATH Tokens** modal opens.

   ![A screen capture of the Import OATH Tokens](_images/qnk1564021284509.png)

6. Click **Choose File**.

7. Navigate to your token seed file and select it.

   #### Example:

   A user imports a single token from a file called `DAF.csv` with the following seed.

   ```
   2308734700388,6EBD59F71A634C48C4619CB33F6C385C9237C9BA
   ```

   #### Result:

   The **Import OATH Tokens** modal shows the token information.

   ![A screen capture of the Import OATH Tokens window with an imported token.](_images/jzf1564021285782.png)

8. From the **Token Type** list, select the token type.

   ![A screen capture of the Token Type list.](_images/fus1564021286418.png)

   #### Example:

   A selection of **TOTP - 6 Digits** enables the **Refresh Interval** list.

   ![A screen capture of the Refresh Interval list.](_images/kaq1564021286947.png)

   #### Result:

   The **Import OATH Tokens** modal now looks as follows.

   ![A screen capture of the Import OATH Tokens window.](_images/nrz1564021287471.png)

   |   |                                                                                            |
   | - | ------------------------------------------------------------------------------------------ |
   |   | The **Preview Record** section shows information from the first record in the `.csv` file. |

9. **Optional:** If applicable, from the **Refresh Interval** list, select the refresh interval.

10. Click **Import**.

    |   |                                                                                                                                              |
    | - | -------------------------------------------------------------------------------------------------------------------------------------------- |
    |   | To return to the **Import OATH Tokens** modal, go to **Setup → PingID → OATH Tokens**, and then click **[icon: plus, set=fa]Import Tokens**. |

    #### Result:

    The newly imported tokens appear at the top of the **OATH Tokens** list.

    ![A screen capture of the OATH Tokens tab with the newly-created entry.](_images/gdp1564021288100.png)

### Troubleshooting

* If your seed file contains entries that duplicate existing tokens, the **Incomplete Token Report** error is displayed.

  ![A screen capture of the Incomplete Token Import message showing a duplicate token.](_images/cpq1564021288975.png)

  Remove the duplicate entries from the seed file and try again.

* If your seed file is invalid, you will receive the following error message.

  ![A screen capture of the Invalid File Type error message.](_images/rfe1564021289537.png)