How to set up programmable SafeID OATH TOTP tokens with Salesforce

Ensuring MFA is enabled on your Salesforce account

After April 2024 it is expected that MFA will be enabled by default on all user accounts, however if your user account does not currently require MFA authentication then MFA may be enabled using the following procedure;

• Procedure to enable MFA on your Salesforce account ...

  Log in to your Salesforce account, then under your user icon click on the settings link (example below);

  

  
  

  In the left hand column, in the section "My Personal information", click on the link "Advanced User Details", and scroll down to the  setting "App Registration, One-Time Password Authenticator", and click on the "Connect" link;

  
  

  You will then be prompted to verify you account.

  

  
  

  Copy and paste the verification code sent to your email account, then click ;

  

  
  

  A QR code will now be displayed;

  

Burning Programmable tokens using a QR code

After enabling MFA on the Salesforce account you will be presented with a QR code (example below);

(this QR code is just an example and should not be used to burn onto your token)

You can use the QR code generated for your account to prepare your programmable token; for logging on to Salesforce;

• Instructions for burning the programmable token ...

  To program a SafeID/Diamond or SafeID/Pro token with a QR code, launch the SafeID/Diamond programming tool.  

  

  
  

  Click the Scan QR Code button 

  Click here for instructions on Scanning QR Codes ...

  Before you scan the QR code please ensure that the clock on your computer is displaying the correct date and time.

  You can scan the screen for a QR code, or load from a file.

  

  If you are scanning the barcode on the screen please ensure that the QR code is not obscured by other windows, and if you have more than one monitor please ensure that both the app and the QR code are displayed on the main display (display 1).

  If you still have difficulty in scanning the QR code double check you only have the one instance of the app running, and that it is the latest version of the app.  In most cases when there are issues with scanning of the QR code the most likely cause is the QR code contains the wrong data and may need to be regenerated.  To test the QR code you could check that the code works correctly with the authenticator app it is intended for (e.g microsoft authenticator), and if this fails then you know that the QR code will need to be regenerated.

  

  
  

  Select Scan Screen.

  If succeeded, the Seed box should be filled with the token's seed data.

  

  
  

  Now, select your smart card reader from the Reader drop-down list, e.g. "HID OMNIKEY 5427 CK"

  

  
  

  Press the Connect button

  

  
  

  Now, switch on a SafeID token and place it on the reader. 

  The tool will read out the token's serial number and time, and display them:

  

  
  

  If you want to correct the clock on the token, then leave the "Sync Token Clock" checked, but first ensure the time on your pc is set correctly.

  Press the Burn button

  

  
  

  The token is successfully programmed.

  Switch off the token and switch it on again to generate a new code (the token may only use the new seed after being reset)

  

  Related Articles

  • Programmable Tokens and keys
  • Hardware Tokens
  • NFC Card Reader
  • Checking and resolving time drift on a windows computer
  • How to generate QR codes for authenticator apps or programmable tokens
  • How to extract seed data from a QR code using a PC

Logging in to Salesforce when asked to connect to Saleforce Authenticator

After a user logs in to Salesforce (with MFA enabled), it is possible the user will initially be asked to connect to Salesforce Authenticator;

If you have been presented with this request then use the following procedure to change verification method to connect by an authentication app;

• Changing the authentication method to "Connect an Authentication App" ...

  Scroll down to the end of the form then click on the option "Choose Another Verification Method";

  

  You will then be presented with the available MFA authentication options, select "Use verification codes from any authentication app (such as Google Authenticator or Authy");

  

  Once this option has been selected, and after clicking on "Continue", you will presented with the form headed "Verify your Identity", and a QR code will be shown (example below);

  

Once you have this QR code you can used the procedure (described earlier) to burn the QR code onto the programmable token.

User experience when logging in to Salesforce using programmable tokens

When you log in to your Salesforce account you will be asked to verify your identity.

The following screenshots show the screens that you should expect to see when authenticating using the programmable token;

• Click here for example screens shown when logging in using the token ...

  

  Turn on your programmable token and copy the 6 digit code displayed on the token into the field "Verification Code";

  

  You will now be granted access to the your salesforce account.

Related Articles

• How to program a SafeID token with a QR code
• How to enable TOTP Authenticator App for Salesforce
• Programmable Tokens and keys
• Hardware Tokens
• NFC Smart Card Reader
• Checking and resolving time drift on a windows computer
• How to generate QR codes for authenticator apps or programmable tokens