Using Token2 TOTP hardware tokens with WatchGuard AuthPoint

Using Token2 TOTP hardware tokens with WatchGuard AuthPoint

About AuthPoint

AuthPoint is WatchGuard's multi-factor authentication (MFA) service. With AuthPoint, you can require users to authenticate with the AuthPoint mobile app or a third-party hardware token when they log in to a protected resource, such as a computer, VPN, or a cloud service or application.

in addition to Watchguard's own devices, AuthPoint also supports any OATH TOTP compliant third-party hardware tokens. In this article we will explain how to request the seeds for your hardware tokens in WatchGuard-compatible format.

Requesting seeds

After your order was physically delivered you can request the seeds for the tokens in multiple formats, including WatchGuard-compatible PSKC file (RFC 6030) encrypted with a key file. 

⚠ Important: by submitting this seed request you are confirming that the physical products of your order have been successfully delivered. It is not recommended requesting the seeds before the delivery as you will lose the possibility to get the products resent or a refund in case of a damaged product or failed delivery.
To request the seeds, navigate to your order page. The order page is a unique URL sent by Token2 several times (at least twice: when you pay for the order and when the order is shipped). Scroll down to the list of serial numbers and click on "Request Seeds" button.

Using Token2 TOTP hardware tokens with WatchGuard AuthPoint

This will redirect you to a pre-filled seed request form. Only the following information is expected to be clarified by the end-users:

  • Encryption method: you can use PGP by providing your public PGP or GPG key (recommended option), or, if you are not familiar with PGP, a password-protected zip file (you are expected to enter a strong password - containing english letters and digits). Important: do not use both methods.
    Using Token2 TOTP hardware tokens with WatchGuard AuthPoint

  • Choose the format you want the seeds to be sent under "Secret Key Format" section. For AuthPoint, choose "Encrypted PSKC XML format (WatchGuard AuthPoint)"
    Using Token2 TOTP hardware tokens with WatchGuard AuthPoint

After completing the form, click on Send button to submit your request. This will send the request along with creating a support ticket assigned to one of our technical support agents. Shortly after, you will receive an update (both via email and via our support portal) with the seeds in the requested format as attachments or as downloadable links.

Please note that this process requires manual verification, but usually is fast if the request is received within our working hours (9AM to 6PM, CET timezone). Your email address has to be listed as authorized for the order, otherwise the request will be rejected

Importing the seed file to AuthPoint

The seeds will be sent as a zip file that needs to be unzipped to a folder on your computer (if you specified one of the encryption methods, it has to be decrypted before extracting). The folder will contain two files, an .xml file and a .bin file used for decrypting the seeds.

Using Token2 TOTP hardware tokens with WatchGuard AuthPoint


Log in to your Watchguard dashboard and navigate to Configure -> AuthPoint, then click on Tokens

Using Token2 TOTP hardware tokens with WatchGuard AuthPoint


Then, click on "Import Third-Party Tokens" to open the file upload dialog.

Using Token2 TOTP hardware tokens with WatchGuard AuthPoint

On the upload dialog, in "Provide a key" section, choose the "upload key file" option and point to the .bin file in the folder extracted in the previous step. In "Select a seed file in PSKC format" part, point to the xml file in the same folder. Click on Import button to complete the process.

Using Token2 TOTP hardware tokens with WatchGuard AuthPoint

After the upload is completed, click on "Back" button to see the list of successfully imported hardware tokens.

Assigning and activating tokens

The last step of the process is assigning a token to a user and activating it. Click on the menu icon on the right of the token's row and select "Assign".

Using Token2 TOTP hardware tokens with WatchGuard AuthPoint

Select the user from the list (or search by name) and click on "Assign" button.

Using Token2 TOTP hardware tokens with WatchGuard AuthPoint

And, the as the final action, we need to activate the token for the user it was assigned to. To activate the token, you will physical need access to the token. To activate the token, open the menu on the right of the token's row and select Activate.

Using Token2 TOTP hardware tokens with WatchGuard AuthPoint

Then, enter the 6 digits code shown on the physical token's display and click "Activate". The successfully activated tokens should show a green dot in front of the serial number - this means the enrollment is now complete.