Hardware Tokens (OTP) Guide

Overview

Hardware tokens allow administrators to leverage One-Time Password (OTP) generating devices for accessing resources protected with LoginTC. Administrators may leverage their own existing hardware tokens or purchases tokens from Cyphercor. For more information on purchasing tokens please contact our sales team.

Professional, Business or Enterprise subscription required

See the Pricing page for more information about subscription options.

Supported hardware tokens

Hardware tokens must be OATH compliant time based TOTP using 6 or 8 digits and a 30 or 60 seconds time interval.

Adding Hardware Tokens

There are many ways to add hardware tokens to LoginTC. Use any of the methods below.

Manually

Manual hardware token creation is appropriate when you want to add just a few.

To manually add a hardware token:

  1. Log in to LoginTC Admin
  2. Click Hardware Tokens: Hardware Token
  3. Click Add Hardware Token
  4. Enter hardware token details Hardware Token Details
  5. Click Create

CSV Import

CSV import is appropriate when you have many hardware tokens. Create a comma-separated values (CSV) file with each hardware token on its own line, like this:

4712566346393,755B36B311960A2BD1EEB6CFC2AD306946F3ACE6
6855176713618,42E13728406B8C833288C6D715069526E0BFEB32

The first field is the Serial Number while the second is the hexadecimal format of the TOTP seed.

To bulk import a CSV file:

  1. Log in to LoginTC Admin
  2. Click Hardware Tokens: Hardware Token
  3. Click Bulk Import: Bulk Import
  4. Select a CSV file and click Import
  5. You can now manage your hardware tokens (e.g. associate them with users) Bulk Import

Managing Hardware Tokens

Associating with a User

To associate a hardware token with a user:

  1. Log in to LoginTC Admin
  2. Click Hardware Tokens Hardware Token
  3. Click the hardware token you would like to associate
  4. Click Associate User
  5. Select the user you would like to associate. Use the Search filter to narrow down results Associate User
  6. Click Associate User

Disassociating from a User

To disassociate a hardware token with a user:

  1. Log in to LoginTC Admin
  2. Click Hardware Tokens Hardware Token
  3. Click the hardware token you would like to associate
  4. Click Disassociate User: Disassociate User
  5. Click Disassociate User

Enabling / Disabling Hardware Tokens for a Domain

Although a hardware token is associated with one user, they can only be used to access domains that have hardware token authentication enabled.

To enable or disable hardware tokens for a domain:

  1. Log in to LoginTC Admin
  2. Click Domains
  3. Select the domain you want to modify
  4. Click on Settings:
  5. Scroll down to Hardware Tokens
  6. Select either enabled or disabled
  7. Scroll down to the bottom of the page and click Update

Using Hardware Tokens

When authenticating, a user enters their username normally. In the password field, they should should enter their password followed immediately by a comma and the One-Time Password (OTP).

Regular input (without OTP) :
    username: john.doe
    password: johnPassword
Input with OTP :
    username: john.doe
    password: johnPassword,123456

If the OTP is valid, the user will be authenticated without a request being sent to their 2nd factor device. If the OTP is invalid the user’s request will be denied.

NOTE

There must not be any spaces between the password, the comma, and the OTP

Troubleshooting

If your users are having difficulty authenticating with OTPs, check the Logs page in the LoginTC RADIUS Connector web interface:

  1. Log in to your RADIUS connector web UI
  2. Click Logs

Hardware Token Not Enabled for Domain

If a user is trying to access a domain where hardware token authentication is not enabled, you will find the following error message within their authentication attempt:

    2016-08-04 13:40:25,163 - DEBUG - Checking for otp
    2016-08-04 13:40:25,300 - DEBUG - otp are not enabled for this domain
    2016-08-04 13:40:25,300 - CRITICAL - Invalid credentials for user john.doe

    Exception: Invalid credentials for user john.doe 

You can enable or disable hardware token authentication for a domain from the LoginTC Admin App. Click here for more information

Invalid OTP

If a OTP is detected, you will find the following log messages associated with the user’s login attempt:

    2016-08-04 17:17:31,568 - DEBUG - Checking for otp
    2016-08-04 17:17:31,607 - DEBUG - otp enabled for this domain
    2016-08-04 17:17:31,607 - DEBUG - Possible otp detected

    2016-08-04 17:17:31,616 - DEBUG - Verifying otp for john.doe
    2016-08-04 17:17:31,616 - DEBUG - Calling-Station-IP is null, not sending originating IP Address
    2016-08-04 17:17:31,684 - CRITICAL - Invalid otp

    APIException: Invalid otp

In this case, the user may be attempting to use a OTP that is either: - Not associated with the user - Out of Sync

You can check the state of a user’s otp through the LoginTC Admin Panel. Click here for more information on managing hardware tokens.