Duo supports authentication using one-time password (OTP) hardware tokens such as Deepnet SafeID. There are 2 types of OTP tokens, event-based (HOTP) and time-based (TOTP), and Duo can support both event-based and timed based tokens. However, Duo does not support TOTP token drift or TOTP resync. As a result, TOTP tokens may eventually fall out of sync and generate invalid passcodes. Therefore, in long run, event-based token works better with Duo.
Deepnet SafeID provides both event-based and time-based tokens. Below is the list of SafeID tokens:
Import Hardware Tokens
Frist obtain you seed data using the instructions in the following guide (in step 4 select "Duo CSV");
To import hardware tokens into Duo, follow the steps below.
1 - Log in to the Duo Admin Panel
2 - Click 2FA Devices in the left sidebar, then click Hardware Tokens. A list of hardware tokens is shown, along with the attached end user, if any.
3 - Click the Import Hardware Tokens button
4 - Select the correct Token type, (i.e. for Safeid/Eco tokens select "HOTP 6-digit", and for all other Safeid tokens select "TOTP-6 digit").
5 - Open the SafeID token seed file received from Deepnet Security in a text editor such as Notepad
6 - Copy the entire content and paste it in to the CSV token data box in the Duo portal
7 - Click Import Hardware Tokens button
Assigning Hardware Tokens
Once tokens have been uploaded the will need to be assigned to users using the following instructions;
2 - Click on the serial number of a token to access the token's properties page, e.g 10001002
3 - On the token's properties page, scroll down to the Users table and click the Attach User button.
4 - Select a Duo user from the drop-down list and click Attach.
5 - The token's properties page now lists the attached user.
Synchronising HOTP Hardware Tokens
If you are using SafeID/Eco event based tokens (HOTP), then if you find that the OTP codes generated by the token are rejected by Duo during authentication, you may find that you need to synchronise the tokens using the following procedure;
To resynchronize a HOTP hardware token:
Log in to the Duo Admin Panel, click 2FA Devices in the left sidebar, and then click Hardware Tokens.
Click on the Serial Number of a token to access the token's properties page. Once on the token's properties page, click the Resync Token button near the top of the token's properties page.
Enter the code displayed on the token as the 1st code. Advance to the next token code and enter that number as the 2nd code. Advance to the next token code one more time and enter that number as the 3rd code. Click the Resync Hardware Token button after entering all three token codes.
Please note that only event based HOTP tokens (SafeID/Eco) can be synchronised with Duo as Duo currently doesn't support synchronising TOTP tokens.
Deleting Hardware Tokens
Tokens that have been previously imported into Duo can be removed using the following procedure;
Caution: Deleting a token in this manner removes it from all associated users immediately. If those users still need to authenticate to Duo, ensure that they have another authentication device attached to their user accounts.
To delete a third-party hardware token:
Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar. Then click Hardware Tokens.
Click on the Serial Number of a token to access the token's properties page. Once on the token's properties page, click the Delete Hardware Token button near the top of the token's properties page.
Confirm deletion of the hardware token.
Related Articles
- SafeID Hardware Tokens
- How to request token seed or secret file
- Assign a hardware token to an end user in Duo
- Resynchronize Tokens in Duo
- Delete Tokens in Duo