Both Azure MFA on-premises server and cloud service now support hardware tokens using time-based one time passcodes (OATH TOTP). Deepnet SafePass is a USB key that supports both FIDO and OATH OTP. It can be configured to generate time-based OTP, and used with Azure MFA.

First, administrators need to seed SafePass USB keys with TOTP tokens, then upload the token seeds onto the Azure MFA server. As the SafePass USB key does not have the display function, user will use the SafePass application to display OTP generated by the SafePass USB key.

Seeding SafePass USB Keys

To program and seed SafePass and SafeKey security keys, you need to use the SafePass personalization tool. 

SafePass Personalization Tool

Click the link above to download it and save it in a folder on your hard drive.

Follow the steps below to seed a SafePass key.

  1. Insert a SafePass USB key into a PC
  2. Launch the SafePass Admin tool

3. On the option "Mode", tick both "Keyboard" and "U2F", and press "Apply" button, then press the button on the key to accept the apply action

4. On the option "Key Press", select either "Enabled" or "Disabled", and press "Apply" button to save it.

If Key Press is enabled, then the user will have to press the key button to generate an OTP.

If the Key Press is disabled, then the OTP will be displayed without pressing the key button

5. Press "New Token" button

6. On the option "Algorithm", select "TOTP"

7. On the option "Hash", select "SHA-1"

8. On the option "Digits", select "6"

9. Press the "Generate" button to generate a random Serial Number and Seed data

You can overwrite the Serial Number if you wish with your own number

10. In the "Username" field, enter the user's UPN

11. Finally, press "Save" button to save the token into the USB key

To continue programming more USB keys, insert a new key and repeat the Step 9 to 11.

Once all keys have been programmed, close the Tool.

The SafePass programming tool generates the following files

File NameComment
tseeds.csvThis CSV is for TOTP tokens. It is in the format for Azure MFA. Token secret is encoded in BASE64
tseeds.xmlThis XML is for TOTP tokens. It is in the format for  DualShield MFA
hseeds.csvThis CSV is for HOTP tokens. It is in the format for general purpose. Token secret is encoded in HEX
hseeds.xmlThis XML is for HOTP tokens. It is in the format for DualShield MFA

Uploading Seed File to Azure MFA

In the Admin Tool folder, you will see a file named "tseed.csv"


This is the seed file in the format required by the Azure MFA cloud service. 

This file can be directly uploaded onto the Azure MFA cloud service. 

Now, sign in to the Azure portal and navigate to Azure Active Directory, MFA Server, OATH tokens

Select "Upload" to upload the CSV file.

Depending on the size of the CSV file, it may take a few minutes to process. Click the Refresh button to get the current status. If there are any errors in the file, you will have the option to download a CSV file listing any errors for you to resolve.

Once any errors have been addressed, the administrator then can activate each key by clicking Activate for the token to be activated and entering the OTP displayed on the token.

Generating OTP

To generate OTPs, the user will need to run the SafePass application.

SafePass TOTP app is a desktop application that works with SafePass and SafeKey FIDO keys to generate TOTP codes. 

Download the SafePass TOTP app from the links below:

SafePass for Windows (64-bits)

SafePass for Windows (32-bits)

SafePass for MacOS (64-bits)

Install it on your PC:

The application has to be executed as an administrator

Related Articles