Introduction

As part of its robust support for multi-factor authentication (MFA), HelloID offers its users the ability to authenticate using Open Authentication (OATH) classic hardware tokens. These tokens are not vendor specific, so you have a lot of very cost-effective options to provide a quick, easy, and secure method of generating a one-time passwords.

Add tokens

Before a user can authenticate with an OATH hardware token, it must be added to your HelloID environment. This is done by either uploading a CSV file to bulk add tokens, or by using the Administrator dashboard to add a single token.

Bulk

A template of the CSV file is included at the bottom of this article. This CSV is the same format used by Microsoft Azure MFA.

The following are the fields of the CSV file. Much of this data is provided to you by the manufacturer after you purchase the token, such as the secret key and time interval.

• UPN
  This is the login name of the user who owns the token. This field is case sensitive.
• Serial number
  This is the serial number of the specific token.
• Secret key
  The secret that the key uses to generate its passcode, in base32 with no spaces (e.g., xd37wewuxp2zvqdkpl4um7doedi6glbp)
• Time interval
  The interval at which the passcode is refreshed.
• Manufacturer
  The name of the token's manufacturer.
• Model
  The name of the token's specific model.

Once you've added your token information to the CSV file, navigate to Security > 2FA Management.

On the Manage Second Factors, ensure that Hardware Token Authentication is enabled. Then, click Manage OATH Tokens.

The next page will display a list of all of your currently enrolled tokens. To add multiple new tokens, click the Import Tokens button. You will be prompted to upload a file. Find the CSV file that contains your hardware token information.

After selecting the CSV file, it will be uploaded to HelloID and parsed. Then the UPN field will be used to look up the target user in HelloID, and the token will be linked to their account.

Single token

From the token import page, click the Add single token button. You will be prompted to enter the hardware key information and to associate user(s).

See the 'Bulk' section above for additional information on these fields.

Much of this data is provided to you by the manufacturer after you purchase the token, such as the secret key and time interval. 

Upon login, the associated user will have the option to authenticate using their token.

Key adjustments

After the token has been added to HelloID you can change which user account(s) are associated with each token via the Manage OATH tokens page. If the user is unable to login using a newly added token, remove the record from HelloID and then add it again. For security, editing parameters of a token after it has been entered is not an option.

We allow classic hardware tokens to be assigned to multiple users, and a user to have multiple tokens.

Let users manage tokens

You may want to delegate token management to specific users and/or groups, such as the IT help desk—without granting full HelloID admin rights. To do so, follow the instructions below.

1. Create a new role called Manage OATH Classic Hardware Tokens.
2. Add the following rights to the role, by turning on their respective toggles:
   1. Manage second factors - Configure
   2. Admin Dashboard - Overview
   3. Settings - Device Authentication
3. Add the desired user(s) and/or group(s) to the role.

Now, these users and/or groups will now be able to manage classic hardware tokens in the Administrator dashboard: