(Workforce Only) Configuring OATH token authentication for PingID
PingID allows users to pair an OATH token to their account or app and use it to sign on to your company services and applications with the added security of multi-factor authentication (MFA).
Before you begin
To configure OATH tokens, you must have the following items from each token manufacturer and for each supplied token model:
-
A token seed file. The seed file can be either:
-
A
.txtfile consisting of lines with a comma separating the token serial numbers and secret keys (without spaces) -
A
.csvfile with the token serial numbers and secret keys in different cells (without spaces or commas)The secret keys are strings of hexadecimal digits.
-
-
For each seed file, a single associated token type of either TOTP or HOTP.
-
For TOTP types, a refresh interval of 30 - 60 seconds, and a hash algorithm of either SHA1, SHA256, or SHA512. The default values are 30 seconds, and SHA256 respectively.
|
For HOTP types, a start counter can be appended as an additional field in the seed file. If absent, it defaults to 0. |
Supported OATH tokens
PingID supports hardware OTP tokens that are OATH compliant:
-
HOTP SHA-1 devices
-
TOTP SHA-1, SHA-256, and SHA-512 devices with 30 or 60 second OTP refresh intervals
-
Any of the above devices that use a PIN code
Ping Identity does not:
-
Sell hardware tokens
-
Recommend any particular hardware token manufacturer
The following OATH tokens have been checked for user authentication by PingID.
| Manufacturer | Model | Type |
|---|---|---|
Feitian |
Display card |
TOTP-60-sec |
Feitian |
OTP c200 |
TOTP-60-sec |
Feitian |
Display card |
HOTP |
Gemalto |
EZIO display card |
TOTP-30-sec |
HyperSecu |
c100 token |
HOTP |
HyperSecu |
Edge plus |
TOTP-60-sec |
HyperSecu |
c200 token |
TOTP-30-sec |
HyperSecu |
HyperOTP |
TOTP-60-sec |
HyperSecu |
Edge plus |
TOTP-30-sec |
Protectimus |
Protectimus TWO |
TOTP-30-sec |
About this task
OATH hardware tokens can be used to generate a one-time passcode (OTP) with which to authenticate. OATH hardware tokens can be useful in situations where users do not or cannot have access to the internet, a USB connection, or a mobile device for security reasons.
Learn more about the user experience in the PingID End User Guide.
To add OATH tokens as an authentication method for MFA:
Steps
-
Configure the MFA policy, including the OATH-specific configurations. Learn more in Configuring an MFA policy for strong authentication.