MFA: Setup an OATH TOTP Hardware Token
Require Hardware:
iPhone or Android Smartphone with NFC (used for enrollment only and will not be needed post enrollment)
TOKEN2 C301-i or TOKEN2 Molto2
The OATH TOTP Hardware Token provides a hardware-based method of MFA OTP using a mobile token featuring a basic LCD display that will show the 6 digit One Time Passcode.
Intro:
This article will guide you through adding an OATH TOTP Hardware Token to a user's Entra ID.
Instructions:
- Download the OATH Hardware Token Setup.csv file and open it
- Go to https://www.token2.com/site/page/totp-toolset (keep this open and do not refresh page after generating the new seed until all steps are complete)
- Click the random button to generate a new seed
- Copy the base32 Seed key that is generated
- Paste the base32 Seed key into the 'security key' field in the OATH_token.csv file
- Type the Serial Number, from the back of the Token2 hardware token, into the 'serial number' field in the OATH_Token.csv file
- Copy the User Principal Name of the user the token will be assigned to, and paste it into the 'upn' field in the OATH_Token.csv file
- Your CSV file should now look like the below image:
- Save the CSV file
- Go to Entra ID and search for 'Oath Tokens' and click to open the OATH tokens page
- Click Upload on the Entra ID Oath tokens page, and upload the OATH_Tokens.csv file. You will receive a notification it was successfully uploaded.
note: It may take 30 seconds for the token(s) to show once upload is completed. Keep refreshing until you see the tokens
- On your smart phone, Download and install the 'Token2 NFC Burner'
- Open TOKEN2 NFC Burner on your smartphone
- Go to the Profile Configuration and change the settings to match the below image:
- In Token2 NFC Burner, go back to Burn Seeds, and tap clear
- In Token2 NFC Burner, click the 'scan QR' button' and scan the QR code generated from step 2
- Press the power button on the OATH token
- Hold your phone's NFC reader onto the Token2 Hardware Token, and then tap Connect in NFC Burner if it does not auto connect. (Token disply must be on)
- Press BURN SEED, you should see a notification that the BURN was successful. The key is now paired and ready to activate.
- Go back to Entra ID OAUTH tokens page, and locate the new token. Click Activate and enter the OTP displayed on the Token2 Hardware key. Entra ID should state the token was successfully activated.
The Hardware Token is now available for use by the assigned user.
Offboarding and reassignment:
Employees need to return the hardware token when their relationship ends with the company. The hardware token, should be unassigned at the time the employee is no longer employed by HPG Brands.
The Token may be re-assigned by following the instructions within this guide after it has been removed from the OAUTH Tokens list in Entra ID.