SecureAuth Hard Token Decrypt Tool
Use this guide to install and use the SecureAuth Hard Token Decrypt Tool, which decrypts HID hard OATH tokens to enable their use in Multi-Factor Authentication.
The SecureAuth Hard Token Decrypt Tool can decrypt batch or single HID hard tokens, in which administrators can provision user accounts, enabling users to use their HID hard tokens. By using the Account Management (Help Desk) realm, administrators can upload HID hard token OATH Seeds to user profiles for identity validation in other SecureAuth IdP realms for access to protected resources.
Prerequisites
Identity Platform release 21.04-10 or later
HID Hard tokens, the .pskc package, and the secret key
Account Management (Help Desk) application for admin provisioning or Self-service Account Update application for end user provisioning
Read and understand how the SecureAuth handles data related to time-based one-time passcode (TOTP) MFA using HID hard tokens in Mobile service migration process.
Install SecureAuth Hard Token Decrypt tool
Go to the Support Tools page and download the SecureAuth Hard Token Decrypt Tool and save it to any Windows computer.
Run the SecureAuth-Decrypt-Seed-1.0.5.exe file to install and set up the tool.
Click Next.
Select the location of the SecureAuth Decrypt Seed and click Next.
The path is hardcoded; however, distinct drives can be selected.
Confirm the settings and click Install.
Wait for the installer to complete.
Once the installation is complete, click Finish.
Decrypting HID hard tokens
The Decrypt Tool has the following decryption options:
Batch – Package of HID hard tokens, up to 25 at a time (use command-line tool)
Single – One HID hard token at a time (use command-line tool)
Online – Go to a website that enables single decryption of a HID hard token (no command-line tool)
Batch decryption of multiple HID hard tokens (command-line)
Upload the HID token package (.pskc file) to the DecryptSeed folder.
The batch command decrypts one package at a time.
At the command prompt, cd to the \SecureAuth\DecryptSeed folder.
Run the DecryptSeed command, using the following values:
Code syntax:
DecryptSeed.cmd /k <32 char Hex Key> /i <PSKC input file name> /o <CSV output file name>
Code example:
DecryptSeed.cmd /k 993E183A58C1287BE4E8FC3555C8438C /i 0654150_0000000794.pskc /o decryptedseeds.csv
Replace <32 char Hex Key> with the secret key of the HID package (for all tokens)
Replace <PSKC input file name> with the file name of the HID token package (.pskc)
Replace <CSV output file name> with the name of the existing or new output CSV file. Take note that if a file exists, the data is appended to the existing file.
In the DecryptSeed folder, locate the CSV output, which contains the serial numbers for the HID hard tokens with the decrypted OATH Seed value. (Serial numbers are located on the back of each HID hard token.)
Single decryption of a HID hard token (command-line)
Upload the HID hard token package (.pskc file) to the DecryptSeed folder.
At the command prompt, cd to the \SecureAuth\DecryptSeed folder.
Run the DecryptSeed command, using the following values:
Code syntax:
DecryptSeed.cmd /s <Cipher Value of Seed> /k <32 char Hex Key>
Code example:
DecryptSeed.cmd /s JYqUGPV7OEtnRULGzyVk5rU6V4reCOiwx8c+PkcTXFaIeFpCrSvJeq9rVNVGi88a /k 993E183A58C1287BE4E8FC3555C8438C
Replace <Cipher Value of Seed> with the cipher value of the single HID hard token, obtained from the HID token package file
Replace <32 char Hex Key> with the secret key of the HID package (for all tokens)
In the command line, view the decrypted OATH Seed value.
Identity Platform configuration
There are two distinct Identity Platform application configurations required to provision and use HID hard tokens:
- Provisioning
To provision (enroll) HID hard tokens the supported options are to use the Hard Token button on the Help Desk or Self-Service pages.
- Use HID hard tokens as MFA
Use of HID hard tokens for multi-factor authentication in login workflows. To set this up, see Configure the login workflow policy to use HID hard tokens.
Configure hard token provisioning page
To provision HID hard tokens, you can use the following internal applications:
Account Management (Help Desk) page configuration – As an admin, you can administer and assign HID hard tokens to user profiles
Self-service Account Update page configuration – As an end user you can self-provision a HID hard token on your Self-service account page.
For the Help Desk or Self-Service application, go to the Advanced Settings > Post Authentication tab. Then, click the applicable link to configure the page.
In the page configuration, set the Hard Token Button to Show.
Save your changes.
Configure the login workflow policy to use HID hard tokens
In the New Experience, you configure the login workflow policy to use HID hard tokens. This will apply to all the applications attached to the policy under the Resources tab in the policy.
For HID hard tokens, set the global length and TOTP setting. See Authentication apps global MFA settings.
Instead of using the global length and TOTP setting, you can set a different length and interval for HID hard tokens. Use the following appsettings in the web.config file to override the global settings for HID hard tokens.
hidPassCodeDefaultLengthhidPassCodeDefaultIntervalIn Policy configuration - Multi-Factor Methods, make sure to select the One-time passcode check box.
Save your changes.
Provision and add a HID hard token
Use the Help Desk or Self-service page to add a HID hard token.
Log in to the Help Desk or Self-service application for yourself or to get a user profile.
Click Assign a HID Hard Token.
The Add HID Hard Token dialog box displays.
Enter the OATH seed for the HID hard token and click Add Device.
Click Update to save your changes on the Help Desk or Self-service page.
The user profile now contains the HID hard token data and can be used for identity validation in other Identity Platform applications for access to a protected resource.