Configuring OATH token authentication for PingID
An OATH token is a secure one-time passcode (OTP) that can be used for two-factor authentication and is OATH compliant.
Hardware OATH tokens are used where there are no provisions for connection to the Internet, USB connections, or mobile phones, which might be disallowed for security reasons. For more information, see https://openauthentication.org/.
PingID supports hardware OTP tokens that are OATH compliant:
-
HOTP SHA-1 devices
-
TOTP SHA-1 devices with 30 or 60 second OTP refresh intervals
-
Any of the above devices that use a PIN code
PingID does not:
-
Sell hardware tokens
-
Recommend any particular hardware token manufacturer
The following OATH tokens have been checked for user authentication by PingID.
| Manufacturer | Model | Type |
|---|---|---|
Feitian |
Display card |
TOTP-60-sec |
Feitian |
OTP c200 |
TOTP-60-sec |
Feitian |
Display card |
HOTP |
Gemalto |
EZIO display card |
TOTP-30sec |
HyperSecu |
c100 token |
HOTP |
HyperSecu |
Edge plus |
TOTP-60sec |
HyperSecu |
c200 token |
TOTP-30sec |
HyperSecu |
HyperOTP |
TOTP-60sec |
HyperSecu |
Edge plus |
TOTP-30 sec |
Protectimus |
Protectimus TWO |
TOTP-30sec |
For information about the user registration, see the PingID End User Guide. NOTE: In the event of three consecutive failed authentication attempts with an OATH token, the user will have to wait two minutes before trying to authenticate again.
Configuring OATH token authentication
Before you begin
To configure OATH tokens, you must have the following items from each token manufacturer and for each supplied token model:
-
A token seed file. The seed file can be either:
-
A .txt file consisting of lines with a comma separating the token serial numbers and secret keys (without spaces)
-
A .csv file with the token serial numbers and secret keys in different cells (without spaces or commas)
The secret keys are strings of hexadecimal digits.
-
-
For each seed file, a single associated token type of either TOTP or HOTP.
-
For TOTP types, a refresh interval of 30 or 60 seconds. The default is 30.
|
For HOTP types, a start counter can appended as an additional field in the seed file. If absent, it defaults to zero. |
Steps
-
In the PingOne admin portal, go to Setup → PingID → Configuration.
-
Go to the Alternate Authentication Methods section.
-
In the Enable column, select the OATH Token check box.
Result:
The Manage OATH Tokens modal opens.
-
Click Save & Manage Tokens.
Result:
The OATH Tokens tab opens and shows a list of previously saved tokens.
If there are no saved tokens, the list will be empty.
-
Click Import Tokens.
Result:
The Import OATH Tokens modal opens.
-
Click Choose File.
-
Navigate to your token seed file and select it.
Example:
A user imports a single token from a file called
DAF.csvwith the following seed.2308734700388,6EBD59F71A634C48C4619CB33F6C385C9237C9BA
Result:
The Import OATH Tokens modal shows the token information.
-
From the Token Type list, select the token type.
Example:
A selection of TOTP - 6 Digits enables the Refresh Interval list.
Result:
The Import OATH Tokens modal now looks as follows.
The Preview Record section shows information from the first record in the
.csvfile. -
Optional: If applicable, from the Refresh Interval list, select the refresh interval.
-
Click Import.
To return to the Import OATH Tokens modal, go to Setup → PingID → OATH Tokens, and then click Import Tokens.
Result:
The newly imported tokens appear at the top of the OATH Tokens list.
Troubleshooting
-
If your seed file contains entries that duplicate existing tokens, the Incomplete Token Report error is displayed.
Remove the duplicate entries from the seed file and try again.
-
If your seed file is invalid, you will receive the following error message.
