Manage hardware token authenticators
Users assigned a hardware token can authenticate using a dynamic password (a number generated by the hardware token device) in response to an IDaaS challenge. When using RADIUS authentication, tokens support PAP/CHAP/MSCHAP and EAP.
IDaaS supports the following hardware tokens:
- Time-based token (OT). Generates a new OTP every 30 seconds.
- Time-based token (AT). Generates a new OTP using the current time as an input each time the button is pressed.
- Event-based token. Generates a new OTP each time the button is pressed.
- TokenCR. Generates a new OTP based on the token challenge displayed by IDaaS and entered into the token by the user.
IDaaS supports the following hardware tokens:
- Legacy Tokens. Entrust AT Mini Tokens for customers who use Entrust Legacy tokens and are migrating from Entrust Identity Enterprise to IDaaS. See Modify legacy token settings
- Hardware Tokens. OATH tokens that support a standard seed file. This includes Entrust CR C200 and C300 tokens, NagraID Display Cards, Yubico Yubikeys, and TokenCRs. See Modify hardware token settings.
Using TokenCR hardware tokens
To use a TokenCR (Token Challenge/Response) hardware token, you need to create a custom user login authentication flow that uses Token/Challenge Response for second-factor authentication. See Create authentication flows.
Topics in this section include
Modify Legacy Token settings
Legacy tokens are older model tokens supported by Entrust Identity Enterprise (formerly Entrust IdentityGuard). IDaaS supports legacy tokens for the migration of Entrust Identity Enterprise users to the cloud.
Modify hardware token settings
1. Click \> Policies \> Authenticators. The Authenticators page appears.
Assign hardware tokens
You can assign a hardware token to a user after the token seed file is imported into your IDaaS account. A hardware token can be assigned to only one user at a time, but a user can have multiple hardware tokens. After users are assigned hardware tokens, update your resource rules as required so they can authenticate to their application accounts using hardware tokens.
Manage hardware tokens
Hardware tokens have an Active or Inactive status. Inactive tokens cannot be used for authentication. If a user misplaces their hardware token, you can disable it to reduce the risk of anyone else using it. If the user finds the token later, you can re-enable the token and it can be used again.