Using programmable TOTP hardware token with Salesforce MFA

If your company requires multifactor authentication (MFA) for increased security when you log in or access connected apps, reports, or dashboards, use a code from the app. If MFA is turned on, and you haven’t set up a verification method yet, you’re prompted to register the next time you log in to Salesforce.

As our programmable hardware tokens act as drop-in replacement of TOTP apps, you can enroll a hardware token to be used with Salesforce MFA. 

⚠ Please note that the recommended MFA method for Salesforce is using security keys. You can use the TOTP hardware tokens in situations where using security keys is not feasible, i.e. if you cannot use a USB port, the security keys option is not enabled for your organization etc.

Requirements

  • A Salesforce account (regular, no admin rights needed)
  • A Token2 programmable token (the guide below shows C301i  as an example)
  • An iPhone device with NFC enabled - this is needed for the enrollment only, subsequent logins will only require the hardware token

The steps below are describing the process using iPhone and C301i token, but please note that the same operation can be done using any of our programmable tokens and supported platforms (i.e. Android or Windows) with minor differences. 

1. Install the provisioning tool

Download and install the supported provisioning app for your device type. Refer to this page to find the correct app for your token and the operating system. For our example, we selected the C301i as the token model and iPhone as the platform.

Using programmable TOTP hardware token with Salesforce MFA


Using programmable TOTP hardware token with Salesforce MFA

the app we will be using for our case is this TOKEN2 NFC Burner


Check NFC Connectivity

Next, make sure the app can communicate to the token. To do this, launch the NFC Burner app and click on "get token data" button. The app will open the NFC prompt. Then, turn the token on (it should show digits or dashes on the LCD) and touch the top of the device (near the speaker). If the NFC connection is successfully established, you should see the serial number and the system time of the token in the 'Results' textarea.

Using programmable TOTP hardware token with Salesforce MFA

Please note that the timestamp value shown by the app is in UTC timezone and may not match your local time

Enroll the hardware token

  • Click on your user avatar (right top corner) and select Settings
    Securing Salesforce account with Token2 Security keys

  • From the user settings page, click on 'Advanced User Details', then on the right window, find 'App Registration: One-Time Password Authenticator' and click on 'Connect'
    Using programmable TOTP hardware token with Salesforce MFA

  • For security purposes, you’re prompted to log in to your account
  • On the next window, Salesforce will show you a QR code similar to the one shown below
    Using programmable TOTP hardware token with Salesforce MFA

  • Now, on your iPhone, launch the TOKEN2 NFC Burner app and click on 'scan QR' button. 
  • Point your iPhone camera to the QR code shown by Salesforce
  • Once the QR code is detected by the app, the Seed field should be populated with the hex value of the TOTP profile encoded in the QR image
    Using programmable TOTP hardware token with Salesforce MFA

  • Then, click on "Burn" button, turn the token on and touch the top of the device when prompted
    Using programmable TOTP hardware token with Salesforce MFA

  • Make sure the results area shows 'seed successfully applied'
  • Turn the token off and on again to get the new OTP generated
  • In the Salesforce window, enter the 6 digit OTP shown on the token and click Connect
    Using programmable TOTP hardware token with Salesforce MFA

  • If the process was done correctly and the code is accepted, you will be redirected to the main page

Now the account ready to use this identity verification method. When Salesforce prompts you for your OTP code generated by the Authenticator app, just press the button on your hardware token and enter the 6 digits generated by the device.