Hardware tokens allow administrators to leverage One-Time Password (OTP) generating devices for accessing resources protected with LoginTC. Administrators may leverage their own existing hardware tokens or purchases tokens from Cyphercor. For more information on purchasing tokens please contact our sales team.
See the Pricing page for more information about subscription options.
Hardware tokens must be OATH compliant time based TOTP using 6 or 8 digits and a 30 or 60 seconds time interval.
There are many ways to add hardware tokens to LoginTC. Use any of the methods below.
Manual hardware token creation is appropriate when you want to add just a few.
To manually add a hardware token:
CSV import is appropriate when you have many hardware tokens. Create a comma-separated values (CSV) file with each hardware token on its own line, like this:
The first field is the Serial Number while the second is the hexadecimal format of the TOTP seed.
To bulk import a CSV file:
To associate a hardware token with a user:
To disassociate a hardware token with a user:
Although a hardware token is associated with one user, they can only be used to access applications that have hardware token authentication enabled.
To enable or disable hardware tokens for a specific application:
Although a hardware token is associated with one user, they can only be used to access domains that have hardware token authentication enabled.
To enable or disable hardware tokens for a domain:
When authenticating, a user enters their username normally. In the password field, they should should enter their password followed immediately by a comma and the One-Time Password (OTP).Regular input (without OTP) :
username: john.doe password: johnPasswordInput with OTP :
username: john.doe password: johnPassword,123456
If the OTP is valid, the user will be authenticated without a request being sent to their 2nd factor device. If the OTP is invalid the user’s request will be denied.
There must not be any spaces between the password, the comma, and the OTP
If your users are having difficulty authenticating with OTPs, check the Logs page in the LoginTC RADIUS Connector web interface:
If a user is trying to access a domain where hardware token authentication is not enabled, you will find the following error message within their authentication attempt:
2016-08-04 13:40:25,163 - DEBUG - Checking for otp 2016-08-04 13:40:25,300 - DEBUG - otp are not enabled for this domain 2016-08-04 13:40:25,300 - CRITICAL - Invalid credentials for user john.doe Exception: Invalid credentials for user john.doe
You can enable or disable hardware token authentication for a domain from the LoginTC Admin App. Click here for more information
If a OTP is detected, you will find the following log messages associated with the user’s login attempt:
2016-08-04 17:17:31,568 - DEBUG - Checking for otp 2016-08-04 17:17:31,607 - DEBUG - otp enabled for this domain 2016-08-04 17:17:31,607 - DEBUG - Possible otp detected 2016-08-04 17:17:31,616 - DEBUG - Verifying otp for john.doe 2016-08-04 17:17:31,616 - DEBUG - Calling-Station-IP is null, not sending originating IP Address 2016-08-04 17:17:31,684 - CRITICAL - Invalid otp APIException: Invalid otp
In this case, the user may be attempting to use a OTP that is either: - Not associated with the user - Out of Sync
You can check the state of a user’s otp through the LoginTC Admin Panel. Click here for more information on managing hardware tokens.