OTP hardware token
This section includes instructions for activating your OTP hardware token. Once it is activated, you need to use passcodes generated from this token every time you log in.
The terms token and authenticator are used interchangeably in this section.
The information in this section applies to the following OTP tokens:
-
eToken PASS: a one-time password (OTP) authenticator that offers two-factor strong authentication. eToken PASS is available in both time- and event-based versions.
-
GOLD: an event-based one-time password (OTP) strong authentication device that supports challenge response functionality. It offers an additional layer of security by generating the OTP only after users enter a PIN on the token keypad.
-
SafeNet OTP 110: a portable, OATH-certified one-time password (OTP) device that ensures unconnected authentication opeartion. In case of theft or loss, the user can utilize one-time access by creating a virtual token and generating an OTP.
-
SafeNet eToken 3300 (formerly known as Platinum): a device having the same features as the GOLD. Its durable case and housing enables it to have the longest warranty available in the industry.
-
SafeNet eToken 3400: an event-based one-time password (OTP) strong authentication card.
-
SafeNet eToken 3410: a time-based one-time password (OTP) strong authentication card.
What are SafeNet OTP hardware tokens?
The following tokens are included in the SafeNet OTP hardware token product line.
eToken PASS
SafeNet OTP 110
SafeNet eToken 3400 / 3410
GOLD
SafeNet eToken 3300 (Platinum)
The instructions in this section apply to all tokens in this list. eToken PASS is shown as an example in many of the graphics.
The button referred to throughout this section is the OTP-generating button, a common feature of all OTP hardware tokens.
Why use a SafeNet OTP token?
Until now, you have probably logged in to your organization’s resources with your user name and a fixed password. The problem is that passwords are easily compromised, putting your identity and the resources you access at risk.
A SafeNet OTP token allows you to generate and use unique one-time passwords (OTPs) each time you log in to your organization’s resources. As the name implies, an OTP can be used only one time. Each time you log in, you use your SafeNet OTP token to generate a unique OTP.
Before you can log in using your token, you must activate it through self-enrollmet. The self-enrollment process is described in the section What are SafeNet OTP Hardware Tokens?. Do not use your token until you have completed token self-enrollment.
How does a SafeNet OTP token protect me?
Password theft is a common method that thieves and hackers use to steal identities and gain unauthorized access to networks and resources. Success depends on the stolen password being valid, in the same way that credit card theft relies on the card being usable until it is reported as stolen. Discovering the compromise is almost impossible until damage has been done.
Using a SafeNet OTP token solves this problem, because once you have logged in using an OTP, that password is no longer valid. Any attempt to log in by reusing the OTP will fail, and it will alert your network security professionals to a possible attack on your identity.
What additional security features des my token offer?
Depending on your organization’s policies, your SafeNet OTP token may be protected against unauthorized use by a server-side Security PIN that is known only to you. Like a bank card, a thief not only needs access to your token, but must know your PIN as well. Do not share your PIN with others.
When you log in using a generated Token Code, you may be required to enter a server-side Security PIN (also known as an OTP PIN) together with the Token Code. Your organization’s policies determine the order in which you must enter the Token Code and your Security PIN.
You may receive a Security PIN from your administrator. During self-enrollment, you may be required to create a new Security PIN.
What is the difference between a Token Code and an OTP?
Your SafeNet OTP token generates a new Token Code each time you press the button on the token. The combination of your Security PIN (if required) and the generated Token Code form the OTP. For example:
OTP for Login, PIN Required | |||
---|---|---|---|
Security PIN | Token Code | Prepended PIN | Appended PIN |
6666 | 12345678 | 666612345678 | 123456786666 |
6666 | 4Kz6-71R | 66664Kz6-71R | 4Kz6-71R6666 |
Successive attempts to log in with an incorrect OTP will automatically lock your token’s account, preventing access, and allowing your network security professionals to deal with the threat.
What is self-enrollment?
Self-enrollment is a simple process during which you activate your token. During the process, you may be required to enter or create a Security PIN. When you complete the self-enrollment process, you will be able to use your token to generate OTPs for login.
What if I have not received a self-enrollment email?
If you have not received a self-enrollment email, contact your help desk to arrange for a new email to be sent to you.
How do I self-enroll my token?
The instructions in this section apply to all SafeNet OTP hardware tokens described in this section. An eToken PASS token is shown in the graphics as an example.
The self-enrollment process begins when you receive your self-enrollment email notification. The email contains instructions and your enrollment URL.
To self-enroll your token:
-
Open the self-enrollment email and read the instructions.
-
Open a web browser, and navigate to the self-enrollment site URL included in the email.
At the self-enrollment site, you are prompted to enter your token serial number. This is the number found on the back of your token.
The serial number should be entered as displayed on the back of the token label, respecting case sensitivity and special characters.
-
Copy the serial number, and ensure it is accurate. Click Next to continue.
You are prompted to enter an OTP. Depending on your organization’s policies, you may be required to enter a Security PIN together with the code generated on your token. Your organization’s policies determine the order in which you must enter the Token Code and the PIN.
-
Firmly push and then quickly release the button on the face of your token. A unique Token Code is generated and displayed.
-
Type the Token Code into the OTP field, together with the PIN, if required. Do not leave any spaces. Click Next to continue.
-
Depending on your organization’s policies, you may be prompted to enter and verify a new Security PIN.
Enter a Security PIN that only you will know. You will need to enter this PIN every time you log in. Your Security PIN must meet the length and composition requirements set by your organization’s policies.
If the PIN fields do not match or if the PIN does not meet security requirements a red asterisk (*) is displayed next to the input fields.
-
Click Next to continue.
The final window confirms that you have completed enrollment.
Click Close.
You can now use your token to log in to your organization’s protected networks and resources.
How do I configure my token on SAS?
- Click Virtual Servers > Tokens > Import SafeNet Tokens.
-
Click Choose File button in Import File field.
-
Browse to the file location and double-click the file to be imported.
The filename is displayed in the Selected File field and you are prompted to enter the password.
-
Type your password in the Password Required field.
-
Click Import. SAS displays the success message and the total number of tokens added.
-
(Optional) Click Save Log to save the import results to your default web browser Download folder.
- Click the Tokens module. The Search section displays.
- Select eToken from the drop-down menu in the Token Type field.
-
Click Search. A list of the search results displays
How do I use my SafeNet OTP token to log in?
When you need to log in, firmly push and then quickly release the button on the face of your token. A unique Token Code is generated, and it is displayed 30-90 seconds, depending on your organization’s policies. Copy it into the appropriate password or OTP field. Depending on your organization’s policies, you may need to enter a personal Security PIN either before or after the Token Code.
In the example below, the Security PIN 1427 is required before the token code.
What if my token shuts Off while I am copying the Token Code?
If your token shuts off while you are entering the Token Code, simply generate a new Token Code by firmly pressing the button and quickly releasing it.
How do I use my GOLD and Platinum tokens in Challenge-Response mode?
If you are using a challenge-response type token, do the following:
-
Enter the PIN into your GOLD or Platinum tokens.
The token displays Challenge? on the device.
-
Enter the challenge provided on the SAS server into the Challenge Code field on the device.
Both tokens generate an OTP to be used for authentication.
Use the steps above to enter a Token PIN in the GOLD and Platinum tokens.
How does event-based OTP authentication work?
For Event–based OTP authentication, the system calculates the one-time password that should follow the one-time password saved from the last successful authentication.
How do I enter a Server-side PIN with my GOLD and Platinum token?
If you are using a challenge-response type token, do the following:
-
Click Policy >Token Templates.
-
In the Token Templates panel, select Gold under the Token Type field, and click Edit.
-
Under PIN Policy, select one of the options below in the PIN Type field:
-
Server-side User Select
-
Server-side Server Select
-
Server-side Fixed
-
-
Select Random if you want the SAS server to randomly provide the PIN, or Fixed, if you want to specify a static PIN.
The Initial PIN is provided only after the self-enrollment process has been completed.
-
Get the Initial PIN by going to Virtual Servers > Policy > Token Policies > Token Template > Tokens.
-
Enter the Initial PIN plus the OTP generated by the GOLD and Platinum tokens when authenticating.
How do I add a hardware token to the Self-Service portal?
-
In the SAS console, go to Self-Service > Configure Self-Service Modules.
-
Select Request A Token in the Module field.
-
Select Token Type in the Page field.
-
Click Add Token Type. A Token Type row is added.
-
Click the drop-down arrow and select the relevant token type from the list.
-
Select the check box on the left, and click Apply.
What are my responsibilities?
Using your SafeNet OTP token provides strong security, and simplifies your work efforts by reducing or eliminating the need to remember or periodically change passwords. As an additional measure, observe the following tips to ensure the highest level of security.
Where should I store my token?
You should keep your token separate from your computer. Do not leave it on your desk, or with your computer bag. Treat it as you would your wallet, purse, or credit cards, and keep it with you at all times.
What if I lose my token?
If you lose your token, report it immediately to your help desk. The help desk will take the necessary actions to ensure the lost token does not present a security risk, and they will provide you with a temporary alternative for logging into the network until you receive a replacement token.
What if I forget my token?
Your token is a primary security device designed to protect you and the resources you access. Keep it with your car keys or purse or other valuable items that you use on a regular basis to minimize the potential to forget it. If you do forget your token, contact your help desk.
How should I protect my personal security PIN?
If you have a PIN, protect it just as you would the PIN for your bank or credit card. Never share it with anybody, including people you trust. Never write down your PIN.
How can I change my security PIN?
If you wish to change your Security PIN, or if you are concerned that it has been compromised, go to your organization’s self-service web site, and select the Change PIN option. Authenticate by entering your username and an OTP (your current Security PIN together with a Token Code). After authenticating, you will be prompted to enter and verify a new Security PIN.
What if I forget my security PIN?
If you forget your Security PIN, contact your help desk. Upon verifying your identity, the help desk will give you a temporary PIN. The next time you log in, you will be required to change the PIN to one known only by you.
What if I cannot log in using my token?
The most common cause of a failed login is copying the Token Code incorrectly. Never attempt to reuse a Token Code, and always ensure that you enter the Token Code exactly as displayed on the token. Be sure to include upper- and lower-case letters and punctuation characters.
If your organization requires you to enter a Security PIN together with the Token Code, ensure that it is entered correctly and that no spaces are entered.
Contact your help desk to resolve login issues.
How long will my token continue to operate?
There are several factors that affect the battery life of a token. Your token should continue to function for five to 12 years before token replacement is required. Roughly two to three months before the battery is exhausted, a low battery warning will display for three to four seconds before each Token Code is displayed. You should contact your help desk as soon as possible when this warning appears. Your help desk will provide you with further instructions at that time.
Thinking green
Never discard your token. It contains a battery and other materials that should be recycled or disposed of in an eco-friendly manner. Contact your help desk for proper disposal instructions.