Both Azure MFA on-premises server and cloud service now support hardware tokens using time-based one time passcodes (OATH TOTP). Deepnet SafeKey/Classic is a USB key that supports both FIDO and OATH OTP. It can be configured to generate time-based OTP, and used with Azure MFA.

First, administrators need to seed SafePass USB keys with TOTP tokens, then upload the token seeds onto the Azure MFA server. As the SafePass USB key does not have the display function, user will use the SafePass application to display OTP generated by the SafePass USB key.

Install the OTP Programmer Tool

To program the SafeKey/Classic security keys as an OTP token, you need to use the SafeKey/Classic OTP Programming Tool. 

Click the link below to download the tool 

SafeKey/Classic OTP Programming Tool

Unzip it into a folder on your local hard drive.

Create a TOTP Token 

To create a TOTP token in a SafeKey/Classic device, follow the steps below (these instructions only apply to the NFC variants of the SafeKey/classic devices - the USB-A variant only supports the HOTP algorithm).

1. Insert a SafeKey/Classic USB key into your PC

2. Run the SafeKey/Classic Programming Tool as Administrator

3. Press the "New Token" button

The "New Token" dialog box will pop up

4. Select the option "Algorithm", e.g. "TOTP"

5. Select the option "Hash", e.g. "SHA-1"

6. Select the option "Digits", e.g. select "6"

7. Select the option "Time Interval", e.g. "30 seconds"

9. Press the "Generate" button to generate a random Seed/Secret data

Optionally, you can also generate a random Serial Number, or you can enter your own Serial Number

10. If you're programming the key for an O365 user, then you might want to enter the user's UPN in the Username box

11. Finally, press the "Save" button to save the token into the USB key.

You will see the key flashing. You must touch the key to complete the operation

To continue programming more SafeKey devices, insert a new key and repeat the Step 9 to 11.

Once all keys have been programmed, close the Tool.

Token Seed Files

The SafeKey programming tool generates the following files

File NameComment
tseeds.csvThis CSV is for TOTP tokens. It is in the format for Azure MFA. Token secret is encoded in BASE64
tseeds.xmlThis XML is for TOTP tokens. It is in the format for  DualShield MFA
hseeds.csvThis CSV is for HOTP tokens. It is in the format for general purposes. Token secret is encoded in HEX
hseeds.xmlThis XML is for HOTP tokens. It is in the format for DualShield MFA

Upload Seed File to Azure MFA

In the Admin Tool folder, you will see a file named "tseed.csv"

This is the seed file in the format required by the Azure MFA cloud service. 

This file can be directly uploaded onto the Azure MFA cloud service. 

Now, sign in to the Azure portal and navigate to Azure Active Directory, MFA Server, OATH tokens

Select "Upload" to upload the CSV file.

Depending on the size of the CSV file, it may take a few minutes to process. Click the Refresh button to get the current status. If there are any errors in the file, you will have the option to download a CSV file listing any errors for you to resolve.

Once any errors have been addressed, the administrator then can activate each key by clicking Activate for the token to be activated and entering the OTP displayed on the token.

Generating OTP

To generate OTPs, the user will need to run the SafeKey OTP Authenticator application.

Install the OTP Authenticator App

SafeKey/Classic OTP authenticator app is a desktop application that works with SafeKey/Classic USB keys to generate TOTP codes. 

Download the SafeKey TOTP app from the links below:

SafeKey OTP Authenticator for Windows

SafeKey OTP Authenticator for MacOS

Install it on your Windows PC or Mac.

Display an OTP Code

To generate an OTP code, follow the steps below.

Firstly, insert the SafeKey device into a USB port in your computer

Then, run the SafeID OTP Authenticator application as an administrator.

Your SafeKey device should now be flashing now...

Touch the SafeKey, then an OTP code will be displayed:

  • No labels