---
title: Configuring OATH token authentication
description: You can enable OATH tokens as an authentication method in Customer or Workforce environments. When enabled, users can pair a supported OATH token to their account or app and use it to sign on to your company services and applications with the added security of multi-factor authentication (MFA).
component: pingone
page_id: pingone:strong_authentication_mfa:p1_pid_oath_tokens
canonical_url: https://docs.pingidentity.com/pingone/strong_authentication_mfa/p1_pid_oath_tokens.html
revdate: September 5, 2024
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
---

# Configuring OATH token authentication

You can enable OATH tokens as an authentication method in Customer or Workforce environments. When enabled, users can pair a supported OATH token to their account or app and use it to sign on to your company services and applications with the added security of multi-factor authentication (MFA).

## Before you begin

To configure OATH tokens, you must have the following items from each token manufacturer and for each supplied token model:

* A token seed file. The seed file can be either:

  * A `.txt` file consisting of lines with a comma separating the token serial numbers and secret keys (without spaces)

  * A `.csv` file with the token serial numbers and secret keys in different cells (without spaces or commas)

    The secret keys are strings of hexadecimal digits.

* For each seed file, a single associated token type of either TOTP or HOTP.

* For TOTP types, a refresh interval of 30 - 60 seconds, and a hash algorithm of either SHA1, SHA256, or SHA512. The default values are 30 seconds, and SHA256 respectively.

|   |                                                                                                                       |
| - | --------------------------------------------------------------------------------------------------------------------- |
|   | For HOTP types, a start counter can be appended as an additional field in the seed file. If absent, it defaults to 0. |

**Supported OATH tokens**

Strong authentication supports hardware OTP tokens that are OATH compliant:

* HOTP SHA-1 devices

* TOTP SHA-1, SHA-256, and SHA-512 devices with 30 or 60 second OTP refresh intervals

* Any of the above devices that use a PIN code

Ping Identity doesn't:

* Sell hardware tokens

* Recommend any particular hardware token manufacturer

The following OATH tokens have been checked for use as an MFA authentication method.

| Manufacturer | Model             | Type        |
| ------------ | ----------------- | ----------- |
| Feitian      | Display card      | TOTP-60-sec |
| Feitian      | OTP c200          | TOTP-60-sec |
| Feitian      | Display card      | HOTP        |
| Gemalto      | EZIO display card | TOTP-30-sec |
| HyperSecu    | c100 token        | HOTP        |
| HyperSecu    | Edge plus         | TOTP-60-sec |
| HyperSecu    | c200 token        | TOTP-30-sec |
| HyperSecu    | HyperOTP          | TOTP-60-sec |
| HyperSecu    | Edge plus         | TOTP-30-sec |
| Protectimus  | Protectimus TWO   | TOTP-30-sec |

## About this task

You can use OATH hardware tokens to generate a one-time passcode (OTP) to authenticate. OATH hardware tokens can be useful in situations where users don't or can't have access to the internet, a USB connection, or a mobile device for security reasons.

To add OATH tokens as an authentication method for MFA:

## Steps

* Configure the MFA policy, including the OATH-specific configurations. Learn more in [Configuring an MFA policy for strong authentication](p1_creating_an_mfa_policy_for_strong_auth.html).