This guide is for Android and iPhone NFC burner apps and command line burner app for the first generation TOTP tokens. If you are using Windows app with the second generation tokens, this process can be replaced with automatic bulk provisioning feature of the Token2 NFC Burner for Windows v0.2
With Azure MFA OATH tokens functionality, you are expected to receive a CSV file from us and upload it to Azure portal (this feature requires Azure AD Premium license, P1 or P2). With classic tokens, this file contains the factory set seeds and the seeds cannot be modified.
Different from classic tokens, with programmable tokens you can set the seeds yourself using one of our NFC Burner or USB Config tools. This will make sure only you have the seeds. Other use cases are: reusing a hardware token that was previously enrolled in a different system, using a previously owned device, in cases where there is no possibility to request seeds directly from Token2 (i.e. if bought from indirect resellers) and so on.
In this guide, we will instruct how this can be achieved using our TOTPToolset app.
- You can use both the online version of TOTPToolset or download and launch Token2 TOTP Toolset - local. You may want to run this app on a computer that is fully offline (or firewalled) to be sure no information is being transferred to third parties
- Install one of the provisioning app to be used with your token. Please use this page to find the corresponding version.
After the app has been installed, you can set the device to flight mode with Bluetooth, Wifi and Cellular data off to ensure no data will be transferred outside
- Generate a random seed using Token2 TOTP Toolset. You can generate using the standard method or "true random" method, relying on online randomization service.
Important: Do not start the process without clicking on one of the randomization options. The default seed shown on the page is not randomized.
- After the seed is generated, burn the seed using the provisioning app (NFC Burner or USB Config tool)
- Verify the OTP shown on the device with the OTP value shown on the TOTP Toolset
Important: If your OTP is not displayed on the virtual token, look in the table beneath. You can also try to increase the skew value (which is ± 4 by default). If the skew is more than 420 seconds, it is highly recommended adjusting the time on the token where possible, as the time drift tolerance in Azure MFA is 450 seconds.
- Enter the serial number of your token and the username in UPN format to the relevant fields on the TOTP Toolset and click on " ⇲ append to CSV" button
- Repeat steps 3 to 6 for every token you are provisioning
- Click on "save as file" button and save your MFA CSV file
- Import the CSV to Azure MFA as described in this guide
- Your tokens are ready to be activated for users