Manage hardware token authenticators
Users assigned a hardware token can authenticate using a dynamic password (a number generated by the hard token device) in response to an Identity as a Service challenge. When using RADIUS authentication, tokens support PAP/CHAP/MSCHAP and EAP .
Identity as a Service supports the following hardware tokens:
- Time-based token (OT)—Generates a new OTP every 30 seconds.
- Time-based token (AT)—Generates a new OTP using the current time as an input each time the button is pressed.
- Event-based token—Generates a new OTP each time the button is pressed.
- TokenCR—Generates a new OTP based on the token challenge displayed by IDaaS and entered into the token by the user.
Identity as a Service supports the following hardware tokens:
- Legacy Tokens—Entrust AT Mini Tokens for customers who use Entrust Legacy tokens and are migrating from Entrust Identity Enterprise to Identity as a Service. See Modify legacy token settings
- Hardware Tokens—OATH tokens that support a standard seed file. This includes Entrust CR C200 and C300 tokens, NagraID Display Cards, Yubico Yubikeys, and TokenCRs. See Modify hardware token settings.
Using TokenCR hardware tokens
To use a TokenCR (Token Challenge/Response) hardware token, you additionally need to create a custom user login authentication flow that uses Token/Challenge Response for second-factor authentication. See Create authentication flows.
Topics in this section include
Modify Legacy Token settings
Legacy tokens are older model tokens supported by Entrust Identity Enterprise (formerly Entrust IdentityGuard). Identity as a Service supports legacy tokens for the migration of Entrust Identity Enterprise users to the cloud.
Modify hardware token settings
1. Click \> Policies \> Authenticators. The Authenticators page appears.
Assign hardware tokens
You can assign a hardware token to a user once the token seed file has been imported into your Identity as a Service account. A hardware token can only be assigned to one user at a time. A user can have multiple hardware tokens. Once all users have been assigned their hardware tokens, modify your resource rules as required so that users can authenticate to their application accounts using hardware tokens.
Manage hardware tokens
Hardware tokens have an Active or Inactive status. Inactive tokens cannot be used for authentication. If a user misplaces their hardware token, you can disable it to reduce the risk of anyone else using it. If the user finds the token later, you can re-enable the token and it can be used again.