PingID Administration Guide

Configuring OATH token authentication for PingID

An OATH token is a secure one-time passcode (OTP) that can be used for two-factor authentication and is OATH compliant.

Hardware OATH tokens are used where there are no provisions for connection to the Internet, USB connections, or mobile phones, which might be disallowed for security reasons. For more information, see https://openauthentication.org/.

PingID supports hardware OTP tokens that are OATH compliant:

  • HOTP SHA-1 devices

  • TOTP SHA-1 devices with 30 or 60 second OTP refresh intervals

  • Any of the above devices that use a PIN code

PingID does not:

  • Sell hardware tokens

  • Recommend any particular hardware token manufacturer

The following OATH tokens have been checked for user authentication by PingID.

Manufacturer Model Type

Feitian

Display card

TOTP-60-sec

Feitian

OTP c200

TOTP-60-sec

Feitian

Display card

HOTP

Gemalto

EZIO display card

TOTP-30sec

HyperSecu

c100 token

HOTP

HyperSecu

Edge plus

TOTP-60sec

HyperSecu

c200 token

TOTP-30sec

HyperSecu

HyperOTP

TOTP-60sec

HyperSecu

Edge plus

TOTP-30 sec

Protectimus

Protectimus TWO

TOTP-30sec

For information about the user registration, see the PingID End User Guide. NOTE: In the event of three consecutive failed authentication attempts with an OATH token, the user will have to wait two minutes before trying to authenticate again.

Configuring OATH token authentication

Before you begin

To configure OATH tokens, you must have the following items from each token manufacturer and for each supplied token model:

  • A token seed file. The seed file can be either:

    • A .txt file consisting of lines with a comma separating the token serial numbers and secret keys (without spaces)

    • A .csv file with the token serial numbers and secret keys in different cells (without spaces or commas)

    The secret keys are strings of hexadecimal digits.

  • For each seed file, a single associated token type of either TOTP or HOTP.

  • For TOTP types, a refresh interval of 30 or 60 seconds. The default is 30.

For HOTP types, a start counter can appended as an additional field in the seed file. If absent, it defaults to zero.

Steps

  1. In the PingOne admin portal, go to Setup → PingID → Configuration.

  2. Go to the Alternate Authentication Methods section.

    A screen capture of the Alternate Authentication Methods section.
  3. In the Enable column, select the OATH Token check box.

    Result:

    The Manage OATH Tokens modal opens.

    A screen capture of the Manage Oath Tokens window.
  4. Click Save & Manage Tokens.

    Result:

    The OATH Tokens tab opens and shows a list of previously saved tokens.

    If there are no saved tokens, the list will be empty.

    A screen capture of the OATH Tokens tab.
  5. Click Import Tokens.

    Result:

    The Import OATH Tokens modal opens.

    A screen capture of the Import OATH Tokens
  6. Click Choose File.

  7. Navigate to your token seed file and select it.

    Example:

    A user imports a single token from a file called DAF.csv with the following seed.

    2308734700388,6EBD59F71A634C48C4619CB33F6C385C9237C9BA

    Result:

    The Import OATH Tokens modal shows the token information.

    A screen capture of the Import OATH Tokens window with an imported token.
  8. From the Token Type list, select the token type.

    A screen capture of the Token Type list.

    Example:

    A selection of TOTP - 6 Digits enables the Refresh Interval list.

    A screen capture of the Refresh Interval list.

    Result:

    The Import OATH Tokens modal now looks as follows.

    A screen capture of the Import OATH Tokens window.

    The Preview Record section shows information from the first record in the .csv file.

  9. Optional: If applicable, from the Refresh Interval list, select the refresh interval.

  10. Click Import.

    To return to the Import OATH Tokens modal, go to Setup → PingID → OATH Tokens, and then click Import Tokens.

    Result:

    The newly imported tokens appear at the top of the OATH Tokens list.

    A screen capture of the OATH Tokens tab with the newly-created entry.

Troubleshooting

  • If your seed file contains entries that duplicate existing tokens, the Incomplete Token Report error is displayed.

    A screen capture of the Incomplete Token Import message showing a duplicate token.

    Remove the duplicate entries from the seed file and try again.

  • If your seed file is invalid, you will receive the following error message.

    A screen capture of the Invalid File Type error message.