Introduction

As part of its robust support for multi-factor authentication (MFA), HelloID offers its users the ability to authenticate using Open Authentication (OATH) classic hardware tokens. These tokens are not vendor-specific, so you have a lot of very cost-effective options to provide a quick, easy, and secure method of generating one-time passwords.

To get started, go to Security > 2FA Management. Ensure that Hardware Token Authentication is enabled.

Then, go to Security > OATH Management. This page displays a list of all enrolled tokens.

Add tokens

Before a user can authenticate with a classic hardware token, it must be added to your HelloID environment. Tokens can be added one at a time, or in bulk by uploading a CSV file.

Single token

On the OATH Management page, select the Add single token button. You are prompted to enter the token information and to associate user(s).

See the Bulk section below for additional information on these fields.

A single token can be assigned to multiple users, and a single user can be assigned multiple different tokens.

Bulk

Bulk adding tokens is accomplished using the Import Tokens feature.

This feature lets you add multiple tokens at once by uploading a CSV file. A blank template is available for download at the bottom of this page. It uses the same format as Microsoft Azure MFA.

The CSV file includes the following fields. Much of this data is provided to you by the manufacturer after you purchase the token, such as the secret key and time interval.

• UPN
  The login name of the user who owns the token. This field is case sensitive.
• Serial number
  The serial number of the token.
• Secret key
  The secret that the key uses to generate its passcode, in base32 with no spaces (e.g., xd37wewuxp2zvqdkpl4um7doedi6glbp)
• Time interval
  The interval at which the passcode is refreshed.
• Manufacturer
  The name of the token's manufacturer.
• Model
  The name of the token's specific model.

After you have added rows to the CSV file, upload it using the Import Tokens button. Valid rows are added as new tokens in HelloID.

To download a CSV containing all existing tokens, select the Export Tokens button. This is primarily for viewing and/or recordkeeping. Tokens already existing in HelloID are never edited or removed when using Import Tokens. Thus, it is not possible to bulk edit tokens by downloading, editing, and re-importing a CSV file. Importing only adds new tokens.

Edit a token

After adding a token to HelloID, you can change which user account(s) are associated with it. For security reasons, it is not possible to edit any other parameters of a token. If you need to change the secret, serial number, etc., you must remove the token and add it again.

To edit the user(s) linked to a token, select its button.

Select the Save button to confirm.

Delete a token

To delete a token, select its button.

Select the Save button to confirm.

Login process

After a token has been added for a user, that user can authenticate with it during login.

Delegate token management

You may want to delegate token management to specific users and/or groups, such as the IT help desk—without granting full HelloID admin rights. To do so, follow the instructions below.

1. Create a new role called Manage OATH Classic Hardware Tokens.
2. Add the following rights to the role, by turning on their respective toggles:
   1. Manage second factors - Configure
   2. Admin Dashboard - Overview
   3. Settings - Device Authentication
3. Add the desired user(s) and/or group(s) to the role.

Now, these users and/or groups will gain access to the OATH Management page in the admin dashboard:

Time drift

The allowed clock skew for tokens is 15x the entry interval, in both directions. For example, if the interval is 30 seconds, the allowed skew is +/- 450 seconds. Or, if the interval is 60 seconds, the allowed skew is +/- 900 seconds.