Deepnet SafeID OTP hardware token is one of the OATH-compliant tokens officially supported by Windows Azure MFA Server. It has been widely used by Azure customers.
The latest version of Windows Azure MFA Server now supports two ways of importing hardware tokens: batch import from a CSV file, or manual entry of token details.
- Azure MFA On-Premises Server
The latest version of Azure MFA Server now supports two ways of importing hardware tokens: batch import from a CSV file or manual entry.
Importing Tokens from a File (Batch Import)
- From the Multi-Factor Authentication Server window, click the OATH Tokens icon.
- Click the Import button.
- In the Import OATH Tokens dialog, click the Browse button.
- The Open dialog will appear (this is the standard Windows Open dialog box).
- Locate the file that you want to import.
- Highlight the file and click the Open button.
- Click the OK button.
- If no errors are encountered, you will receive a message stating that the import was successful with an option to view the Import Log.
All newly imported token will now be listed in the OATH Tokens list:
Adding Tokens Manually (Single Entry)
To add an OATH token:
From the Multi-Factor Authentication Server window, click the OATH Tokens icon.
In the OATH Tokens section, click the Add button.
In the Add OATH Token dialog, enter the OATH token details.
OATH Tokens detail
Enter the serial number that uniquely identifies the OATH token assigned to the token by the manufacturer. The serial number is generally printed on the back of a token.
Enter the OATH token's secret key. This key allows the Multi-Factor Authentication Server to generate the same time-based series of OATH codes as the third-party OATH token in order to validate an OATH code entered by the user associated with the token. The key must be in base-32 format.
Enter the manufacturer of the OATH token, e.g. "DeepNet"
Enter the OATH token's model number, e.g. "SafeID"
Enter the start date of the OATH token from which it is effective.
Enter the time interval in seconds of the OATH token. The token will display a new OATH code for each time interval. For DeepNet SafeID tokens, the time interval MUST be set to 60 seconds.
Specify a valid username or click the Select User button to display the Select User dialog. When a valid username is specified and the OK button is clicked, the Synchronize OATH Token dialog will prompt for the current OATH code to synchronize the OATH token.
Click the Select User button to assign the token to a user
Click the OK button.
You will be prompted to synchronize the token
If the token is successfully imported, it will list in the OATH Tokens list:
- Azure MFA Cloud Service
Hardware tokens must be uploaded to Azure MFA service in a comma-separated values (CSV) file. Deepnet SafeID or MobileID tokens are supplied with a CSV file that includes serial number, secret key, time interval, manufacturer, and model as the example below shows.
Token Seed File
serial number,secret key,timeinterval,manufacturer,model
Azure MFA requires one extra information to be added into the CSV file: the user principal name (UPN) of each token. Therefore, you need to edit the CSV file in the text editor or Excel, and add an UPN to each of the tokens, as the example below shows.
Token Seed File
upn,serial number,secret key,timeinterval,manufacturer,model
Make sure you include the header row in your CSV file as shown above.
Now, sign in to the Azure portal and navigate to Azure Active Directory, MFA Server, OATH tokens
Select "Upload" to upload the CSV file.
Depending on the size of the CSV file, it may take a few minutes to process. Click the Refresh button to get the current status. If there are any errors in the file, you will have the option to download a CSV file listing any errors for you to resolve.
Once any errors have been addressed, the administrator then can activate each key by clicking Activate for the token to be activated and entering the OTP displayed on the token.
At the login screen, if the method “use a verification code from app” is not displayed, then the user needs to choose “Sign in another way”.
Now, select “Use a verification code from my mobile app”
Enter an OTP generated from the token in the screen bellow.
Once the OTP has been verified successfully, the user will be granted access.
Set Default Verificaftion Method
If the user just needs to use the OTP from the token as the default, then they can go to aka.ms/mfasetup and change their default method to “use verification code from app”.
This will take the user to the Enter code above as a default.
Login to aka.ms/mfasetup. The user will be asked to verified by a text message or voice call.
The system will verify the phone number with a voice call and the user needs to hit # to verify the call.
Once the user is verified, and the rest of the registration process is complete, the user needs to go back to AKA.ms\mfasetup and make sure the token shows in the profile, (see below).
Now, tick the "Authenticator app" option. Then, under "what's your preferred option?", select "Use verification code from app" as the default verification option. (Azure MFA treats the token hardware tolken the same as the app).