Both Azure MFA on-premises server and cloud service now support hardware tokens using time-based one time passcodes (OATH TOTP). Deepnet SafePass is a USB key that supports both FIDO and OATH OTP. It can be configured to generate time-based OTP, and used with Azure MFA.

First, administrators need to seed SafePass USB keys with TOTP tokens, then upload the token seeds onto the Azure MFA server. As the SafePass USB key does not have the display function, user will use the SafePass application to display OTP generated by the SafePass USB key.

Seeding SafePass USB Keys

To program and seed SafePass keys, you need to use the SafePass admin tool. 

SafePass Admin Tool

Click the link above to download it and save it in a folder on your hard drive.

Follow the steps below to seed a SafePass key.

  1. Insert a SafePass USB key into a PC
  2. Launch the SafePass Admin tool

3. On the option "Mode", tick both "Keyboard" and "U2F", and press "Apply" button, then press the button on the key to accept the apply action

4. On the option "Key Press", select either "Enabled" or "Disabled", and press "Apply" button to save it.

If Key Press is enabled, then the user will have to press the key button to generate a OTP.

If the Key Press is disabled, then the OTP will be displayed without pressing the key button

5. Press "New Token" button

6. On the option "Algorithm", select "TOTP"

7. On the option "Hash", select "SHA-1"

8. On the option "Digits", select "6"

9. Press the "Generate" button to generate a radom Serial Number and Seed data

You can overwrite the Serial Number if you wish with your own number

10. In the "Username" field, enter the user's UPN

11. Finally, press "Save" button to save the token into the USB key

To continue program more USB keys, insert a new key and repeat the Step 9 to 11.

Once all keys have been programmed, close the Admin Tool.


Uploading Seed File to Azure MFA

In the Admin Tool folder, you will see a file named "tseed.csv"


This is the seed file in the format required by the Azure MFA cloud service. 

This file can be directly uploaded onto the Azure MFA cloud service. 

Now, sign in to the Azure portal and navigate to Azure Active Directory, MFA Server, OATH tokens

Select "Upload" to upload the CSV file.

Depending on the size of the CSV file, it may take a few minutes to process. Click the Refresh button to get the current status. If there are any errors in the file, you will have the option to download a CSV file listing any errors for you to resolve.

Once any errors have been addressed, the administrator then can activate each key by clicking Activate for the token to be activated and entering the OTP displayed on the token.

Generating OTP

To generate OTPs, user wil need to run the SafePass application.

SafePass for Windows (64-bits)

SafePass for Windows (32-bits)

SafePass for MacOS (64-bits)

Download the app and install it on your PC

Launch the application and the OTP will be displayed: