Configuring OATH token authentication
You can enable OATH tokens as an authentication method in customer (PingOne MFA) or workforce (PingID) environments. When enabled, users can pair a supported OATH token to their account or app and use it to sign on to your company services and applications with the added security of multi-factor authentication (MFA).
Before you begin
To configure OATH tokens, you must have the following items from each token manufacturer and for each supplied token model:
-
A token seed file. The seed file can be either:
-
A
.txtfile consisting of lines with a comma separating the token serial numbers and secret keys (without spaces) -
A
.csvfile with the token serial numbers and secret keys in different cells (without spaces or commas)The secret keys are strings of hexadecimal digits.
-
-
For each seed file, a single associated token type of either TOTP or HOTP.
-
For TOTP types, a refresh interval of 30 - 60 seconds, and a hash algorithm of either SHA1, SHA256, or SHA512. The default values are 30 seconds, and SHA256 respectively.
|
For HOTP types, a start counter can be appended as an additional field in the seed file. If absent, it defaults to 0. |
Supported OATH tokens
Strong authentication supports hardware OTP tokens that are OATH compliant:
-
HOTP SHA-1 devices
-
TOTP SHA-1, SHA-256, and SHA-512 devices with 30 or 60 second OTP refresh intervals
-
Any of the above devices that use a PIN code
Ping Identity doesn’t:
-
Sell hardware tokens
-
Recommend any particular hardware token manufacturer
The following OATH tokens have been checked for use as an MFA authentication method.
| Manufacturer | Model | Type |
|---|---|---|
Feitian |
Display card |
TOTP-60-sec |
Feitian |
OTP c200 |
TOTP-60-sec |
Feitian |
Display card |
HOTP |
Gemalto |
EZIO display card |
TOTP-30-sec |
HyperSecu |
c100 token |
HOTP |
HyperSecu |
Edge plus |
TOTP-60-sec |
HyperSecu |
c200 token |
TOTP-30-sec |
HyperSecu |
HyperOTP |
TOTP-60-sec |
HyperSecu |
Edge plus |
TOTP-30-sec |
Protectimus |
Protectimus TWO |
TOTP-30-sec |
About this task
You can use OATH hardware tokens to generate a one-time passcode (OTP) to authenticate. OATH hardware tokens can be useful in situations where users don’t or can’t have access to the internet, a USB connection, or a mobile device for security reasons.
Learn more about the user experience in the PingID End User Guide.
To add OATH tokens as an authentication method for MFA:
Steps
-
Configure the MFA policy, including the OATH-specific configurations. Learn more in Configuring an MFA policy for strong authentication.