TOTP Hardware tokens with ESET Secure Authentication

ESET Secure Authentication (ESA) adds Two Factor Authentication (2FA) to Microsoft Active Directory domains or local area network, that is, a one-time password (OTP) is generated and has to be supplied along with the generally required username and password, or push notification is generated and has to be approved on the user's cell phone running Android OS, iOS or Windows once the user has successfully authenticated using their general access credentials.

Time-based hard tokens (classic TOTP tokens) are supported in ESET Secure Authentication from version 2.7.32.0. 

Token2 TOTP tokens are fully compatible with ESET 2FA and both classic and programmable tokens with unrestricted time sync can be used. The difference between these 2 types is that with classic tokens the resyncing should be done by administrators via ESA Web Console only, whereas with programmable tokens this can be done by adjusting the time on the token itself by the end-users.

To use and manage hard tokens, see instructions below.

Enable and Import Hard Tokens

1. In the ESA Web Console, click Hard Tokens.

2. Select the Enabled checkbox if it has not been selected by default.

3. Click the Import Hard Tokens button.

4.  Before continuing to this step, you need to have the seeds file obtained from Token2.

Token2 provides the XML file in the PSKC format without password protection, so when importing the file to ESET Web Console no password will be required, but the file itself can be transferred in an encrypted format (you need to submit your public key when requesting the seeds).

To request the factory-set seeds in PSKC XML format, follow the instructions below:

• Open your order page (the URL was sent to your email address after the order was placed, paid or shipped)
• Find the Serial numbers box and click on "Request seeds" button
  
  
  
• On the Seed request form, enter your email address. The order ID and serial numbers should be pre-filled (contact us if the fields are empty)
• In the "Encryption" field, submit your public PGP or GPG key content (starting from --- BEGIN [..] and ending with --- END [..] strings). This is highly recommended, but optional 
• In the Secret key format section, select PSKC XML format
  
  
• Submit the form. The process requires manual verification but is usually completed within a short period of time
• You will receive the XML file as an attachment, save it to your local disk and continue with ESET Web Console

Select the file sent by Token2 to import. 

5. Click the Import tokens button.

6. A result notification will pop up indicating how many hard tokens were imported and the imported hard tokens will be displayed.

Assign Hard Token to a user

1. In the ESA Web Console, click Users.

2. Click the name of the appropriate user.

3. Click the toggle next to Hard Token and select a hard token from the list.

4. Click Save.

Revoke Hard Tokens

Revoking a hard token for a user will also disable that user for hard token authentication.

1. In the ESA Web Console, click Hard Tokens.

2. Select the appropriate tokens and click Revoke.

Delete Hard Tokens

1. In the ESA Web Console, click Hard Tokens.

2. Select the appropriate tokens and click Delete.

Resynchronize a Hard Token

There is a possibility that a hard token becomes out of sync with the system. This can happen if the internal time of a time-based hard token is out of sync. In these scenarios, a resynchronization will be required. For the programmable hardware tokens with time unrestricted sync, this can be done using the NFC burner app without the need to use the ESA web console (i.e. by the end-users themselves). Please note that programmable tokens with restricted time sync do not support adjusting the time only, they have to be fully reprovisioned.

A classic token can be resynchronized as follows:

1. In the ESA Web Console, click Hard Tokens.

2. In the appropriate row, click , and select Resynchronize Hard Token.

3.Generate and enter two consecutive OTPs using the selected hard token.