Time-based hard tokens (classic TOTP tokens) are supported in ESET Secure Authentication from version 2.7.32.0.
Token2 TOTP tokens are fully compatible with ESET 2FA and both classic and programmable tokens with unrestricted time sync can be used. The difference between these 2 types is that with classic tokens the resyncing should be done by administrators via ESA Web Console only, whereas with programmable tokens this can be done by adjusting the time on the token itself by the end-users.
To use and manage hard tokens, see instructions below.
1. In the ESA Web Console, click Hard Tokens.
2. Select the Enabled checkbox if it has not been selected by default.
3. Click the Import Hard Tokens button.
4. Before continuing to this step, you need to have the seeds file obtained from Token2.
Token2 provides the XML file in the PSKC format without password protection, so when importing the file to ESET Web Console no password will be required, but the file itself can be transferred in an encrypted format (you need to submit your public key when requesting the seeds).
To request the factory-set seeds in PSKC XML format, follow the instructions below:
Select the file sent by Token2 to import.
5. Click the Import tokens button.
6. A result notification will pop up indicating how many hard tokens were imported and the imported hard tokens will be displayed.
1. In the ESA Web Console, click Users.
2. Click the name of the appropriate user.
3. Click the toggle next to Hard Token and select a hard token from the list.
4. Click Save.
Revoking a hard token for a user will also disable that user for hard token authentication.
1. In the ESA Web Console, click Hard Tokens.
2. Select the appropriate tokens and click Revoke.
1. In the ESA Web Console, click Hard Tokens.
2. Select the appropriate tokens and click Delete.
There is a possibility that a hard token becomes out of sync with the system. This can happen if the internal time of a time-based hard token is out of sync. In these scenarios, a resynchronization will be required. For the programmable hardware tokens with time unrestricted sync, this can be done using the NFC burner app without the need to use the ESA web console (i.e. by the end-users themselves). Please note that programmable tokens with restricted time sync do not support adjusting the time only, they have to be fully reprovisioned.
A classic token can be resynchronized as follows:
1. In the ESA Web Console, click Hard Tokens.
2. In the appropriate row, click , and select Resynchronize Hard Token.
3.Generate and enter two consecutive OTPs using the selected hard token.