As part of its robust support for multi-factor authentication (MFA), HelloID offers its users the ability to authenticate using Open Authentication (OATH) hardware tokens. These tokens are not vendor specific, so you have a lot of very cost-effective options to provide a quick, easy, and secure method of generating a one-time passwords.
Add Tokens to HelloID
Before a user can authenticate with an OATH hardware token, it must be added to your HelloID environment. This is done by either uploading a CSV file, or by adding a single token within the HelloID Administrator Dashboard. A template of the CSV file is included with this article. This CSV is the same format used by Microsoft Azure MFA.
The following are the fields of the CSV file. Much of this data is provided to you by the manufacturer after you purchase the token, such as the secret key and time interval.
- upn: This is the login name of the user who owns the token. This field is case sensitive.
- serial number: This is the serial number of the specific token.
- secret key: The secret that the key uses to generate its passcode.
- timeinterval: The interval at which the passcode is refreshed.
- manufacturer: The name of the token's manufacturer.
- model: The name of the token's specific model.
Once you've added your token information to the CSV file, navigate to Security > 2FA Management.
On the Manage Second Factors, ensure that Hardware Token Authentication is enabled. Then, click Manage OATH Tokens.
The next page will display a list of all of your currently enrolled tokens. To add multiple new tokens, click the Import Tokens button. You will be prompted to upload a file. Find the CSV file that contains your hardware token information.
After selecting the CSV file, it will be uploaded to HelloID and parsed. Then the upn field will be used to look up the target user in HelloID, and the token will be linked to their account.
Adding a single token
From the token import page, click the Add single token button. You will be prompted to enter the hardware key information and to associate user(s).
Much of this data is provided to you by the manufacturer after you purchase the token, such as the secret key and time interval.
Upon login, the associated user will have the option to authenticate using their token.
After the token has been added to HelloID you can change which user account(s) are associated with each key via the Manage OATH tokens page. If the user is unable to login using a newly added key, remove the key record from HelloID and then add it again. For security, editing parameters of a key after it has been entered is not an option.
We allow hardware tokens to be assigned to multiple users and a user to have multiple tokens.