Using Token2 Programmable hardware tokens with Cyberark Idaptive

Idaptive provides web application single sign-on, multi-factor authentication (MFA/2FA), and analytics based around a zero trust security model. Users can use a one-time-passcode (OTP) to log in to the user portal . You use a third party authenticator (like Google Authenticator) or the Idaptive client application to scan a Idaptive Identity Services generated QR code and configure the OTP. Idaptive supports any authenticator app that support the OATH TOTP standard. 

As Token2 programmable tokens can act as drop-in replacement of applications like Google Authenticator, you can use a hardware token as the replacement of TOTP apps. This article will demonstrate the process using NFC Burner app for iPhone - the procedures for Windows and Android apps are almost identical.

Requirements

  • Access to your Idaptive account and a policy allowing using "Mobile Authenticator" active for your account 
  • A Token2 programmable token (the guide below shows C301i as an example)
  • An iPhone (8 or newer), with Token2 NFC Burner app installed - this is needed for the enrollment only, subsequent logins will only require the hardware token

OTP Setup process

Before starting the enrollment, install the NFC Burner app on your iPhone and have the phone and the hardware token ready.

  • Log in to Idaptive user portal.

  • Click Account > Authentication Factors > Show QR Code

    Using Token2 Programmable hardware tokens with Cyberark Idaptive
    The text associated with the Show QR Code button reflects the text that your systems administrator entered when they configured this feature
  • The QR code displays on the screen

  • Hardware token for  Account 2FALaunch the NFC burner app on your iPhone, click on 'scan QR' button and scan the QR code shown on the Idaptive enrollment page as described in  the previous step. The seed field will be populated with the secret code value in hex format. 

  • Once the seed field has been filled, touch the "Burn seed" button, then turn the hardware token on and touch the top of the device. the process completion (or any errors) will be shown in the 'Results' area. Turn the token off and on again.

  • A passcode is displayed on the hardware token. You can now enter the passcode to log in to Idaptive Identity Services. This authentication works across tenants. On the Passcodes page of the Idaptive application, you can tap the relevant code to silently send that code and authenticate for the relevant user/endpoint.


Cyberark IDAptive