Introduction
Whilst FIDO keys are normally used to authenticate in FIDO mode, they are capable of being used as an OTP source (VPN is one example where you may want to use a FIDO key to generate event based OTP authentication codes).
Our SafeKey Fido range have different specifications, but they all can be programmed as source of event based OTP codes (HOTP).
To program the SafeKey/Classic security keys as an OTP token, you need to use the SafeKey/Classic OTP Programming Tool.
Click the link below to download the tool and unzip it into a folder on your local hard drive.
SafeKey/Classic OTP Programming Tool
Preparing the key for OTP generation
Use the follow the steps to program a SafeKey/Classic key to produce OTP codes when the key is touched;
1. Launch the SafeKey/Classic Programming Tool, and the following window will open;
2. Insert you Fido key into a USB port on your PC, and the tool will read token details of the key and display them in the section "Tokens";
3. Press the 
button, select Algorithm "HOTP", Hash "SHA-1" and Digits "6" (Since we are selecting the "HOTP" algorithm, then we do not need to specify the time interval);
4. The serial number will default to the serial number read from the token (however a random serial number can be created if requried).
5. You now need to generate a random seed for the token by clicking on the 
(indicated below);
6. A new seed will now be generated (in HEX form) and the token details can now be written to the token by clicking on 
;
You will now see a red flashing light on the key.
To start transferring the token details to the key you will need to touch the key.
7. To generate an OTP, press the 
button;
You will see the key flashing. You must touch the key to complete the operation
To continue programming more USB keys, remove the programmed key, then repeat steps 2 to 7 for each additional key.
Once all keys have been programmed, close the Tool
Locating the automatically created seed file
The SafePass programming tool generates the following files (the files are generated in the same folder that tool is run from);
| File Name | Comment |
|---|---|
| tseeds.csv | This CSV is for TOTP tokens. It is in the format for Azure MFA. Token secret is encoded in BASE64 |
| tseeds.xml | This XML is for TOTP tokens. It is in the format for DualShield MFA |
| hseeds.csv | This CSV is for HOTP tokens. It is in the format for general purpose. Token secret is encoded in HEX |
| hseeds.xml | This XML is for HOTP tokens. It is in the format for DualShield MFA |
The file "tseeds.xml" is suitable for uploading to DualSiheld but may include details from previously scanned tokens.
Once the tokens have been uploaded to DualShield the generated seed files should either be removed, or transferred to a secure storage location.
Manual creation of the seed file
Alternatively, an XML file can be created using a text editor and populated prior to burning each seed.
Open a text editor and copy and paste the following text into the editor;
<?xml version="1.0"?> <data> <header> <manufacturerCode>DN</manufacturerCode> <productCode>SE</productCode> <encode>HEX</encode> <encrypt>NONE</encrypt> <crypto>HmacSHA1</crypto> <digits>6</digits> </header> <tokens> <token> <serial>129301829</serial> <seed>7F6F1195DCED43DEC02C0680B7DE46504A9EB4BD</seed> </token> </tokens> </data>
The data included in the above example will need to be replace with the serial number and seed data generated by the tool.
For the first seed replace the example serial number "129301829", and seed "7F6F1195DCED43DEC02C0680B7DE46504A9EB4BD" with the serial number and seed (in hex form) generated by the token.
If additional tokens are prepared create additional token sections (see example below);
<?xml version="1.0"?>
<data>
<header>
<manufacturerCode>DN</manufacturerCode>
<productCode>SE</productCode>
<encode>HEX</encode>
<encrypt>NONE</encrypt>
<crypto>HmacSHA1</crypto>
<digits>6</digits>
</header>
<tokens>
<token>
<serial>129301829</serial>
<seed>7F6F1195DCED43DEC02C0680B7DE46504A9EB4BD</seed>
</token>
<token>
<serial>222222222</serial>
<seed>A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2</seed>
</token>
<token>
<serial>333333333</serial>
<seed>A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2</seed>
</token>
</tokens>
</data>
Once the file includes details for all your tokens, save the text file with a ".XML" extension to the filename.
The file will now be ready for importing into DualShield.
Importing the seed data into DualSheild
Log in to the management console and navigate to ""Repository | Tokens"
Click on the 
button, and a window titled "Import Tokens" will open;
Ensure the system token repository is selected then click on the
button, then navigate to the seed file you created with the text editor and click 
;
The token can now be imported by clicking on the 
button.
The token will import in the form of a SafeID/Event-based token as per the example below and is ready to be assigned to a user;
Assigning the token
To assign the new token to a user left click on the context menu of the newly imported token then select "Assignments";
A new window will now open titled "Token Assignments", click on the button 
and select the domain that contains the user that we will assign the token to;
Use the 
icon to select the user the token is to be assigned to then click 
After the token has been assigned to the user the user can may use the SafeKey token as a source of OTP codes when authenticating using OTP authentication.