Skip to main content

SecureAuth Passcode App for Windows

Updated January 14, 2020

SecureAuth Passcode is a desktop application that generates one-time passcodes (OTPs) to use for validation during the login process.

The Passcode app must first be connected to your user profile via a SecureAuth IdP app enrollment realm before it can be used.

Once connected, the app generates a new passcode (configured for 6 or 8 digits) every 60 seconds. Input the current passcode on the login page to gain access to the resource protected by SecureAuth IdP.

You can enroll more than one Passcode account on the app and manage these accounts on the app.


Each end user can register the SecureAuth Passcode app on one computer only.

Passcode app version 19.10 or later supports optional PIN protection, which, if configured, requires you to enter your PIN to view the OTP.

For a summary of release information, see Release notes.


The following are the minimum Windows workstation requirements for end users.

Supported Windows OS versions
  • Windows 7 (32-bit or 64-bit)

  • Windows 8.1 (32-bit or 64-bit)

  • Windows 10 (32-bit or 64-bit)

Supported Windows Server OS versions
  • Windows Server 2008 R2 (32-bit or 64-bit)

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Server 2016

Microsoft .NET
  1. From the SecureAuth product downloads page, download the SecureAuth Passcode for Windows MSI file to your desktop.

  2. Get the web address of the SecureAuth IdP app enrollment realm you should use to:

    • Enroll the app and provision it for Multi-Factor Authentication usage (if you do not have the app installed), or

    • Re-enroll the app for Multi-Factor Authentication usage if you are upgrading from version 2.0.x to version 19.10.2.

  3. Proceed to Windows installation.

Windows Server setup requirements

The following are requirements for optional roaming user profile Group Policy Object (GPO)

Roaming user profiles that are set up in Active Directory environments let users with computers joined to a Windows server domain log on another computer on the same network to access documents.

To use roaming user profiles with the Passcode app:


  • Seed and PIN values are shared by all machines with Passcode apps installed.

  • Any change to seeds, PINs, and accounts appears on other machines after the Passcode app on another machine is restarted.

  • Refer to the Multi-Factor App Enrollment (URL) realm configuration topic for additional information.

Installation configuration options

If you use the Silent install option to install Passcode on end-user workstations:

  • You can include the INSTALLDIR attribute in the silent installation syntax to install Passcode in a path other than the default location C:\Program Files (x86)\Passcode

  • You can include the ENROLLMENTURL attribute in the silent installation syntax. This pre-populates the URL in the Add Account screen the first time the end user starts the app.

Using this option:

  • You can configure the syntax to let the end user enter another web address to use instead of the one you provided.

  • You can specify the account enrollment URL to be used. This configuration means that any existing, provisioned account on the end user's machine will be deleted.

Windows installation

Follow the installation steps for the Windows desktop.

  1. Find the Passcode application you downloaded.

  2. Choose either Wizard install or Silent install and follow the instructions for that option.


    The silent install option uses the Windows Command Line Interface (CLI) and requires administrator permissions. Be sure you have the syntax from the administrator before proceeding.

Wizard install

  1. Double-click the Passcode .msi file to start the InstallShield Wizard.

  2. Click Next to continue.

  3. Review the current settings, then click Next.

  4. If the User Account Control (UAC) confirmation appears, then click Yes to start the installation.

  5. Wait for the InstallShield Wizard to install the client application.

  6. 7. Click Finish.


Silent install

  1. Click Start and then initiate a command prompt as an administrator.

  2. Execute the following syntax to perform a silent install:

    <installerPath>\PasscodeX_X_X.msi /quiet INSTALLDIR=<installDirectoryPath> ENROLLMENTURL=<enrollmentURLpath>

    For example:

    C:\users\admin\Downloads\PasscodeX_X_X.msi /quiet INSTALLDIR="C:\SecureAuth Files\Passcode"

    Optional installation steps:

    • Use the INSTALLDIR attribute to install Passcode in a non-default location – the default location is C:\Program Files (x86)\Passcode

    • Use the ENROLLMENTURL attribute to pre-populate the Add Account screen with the URL when starting the application for the first time.

      • If the administrator has specified an account enrollment URL in the command line syntax, then any existing provisioned account on your machine will be deleted.

      • If the default URL realm SecureAuth998 is used, then you only need to enter the Fully Qualified Domain Name – example:

      • If a realm other than the default realm is used for Multi-Factor Authentication URL app enrollment, then the entire URL address that includes the realm name is required – example:

Connect an account to your user profile

  1. Start the Passcode client application.

  2. If this is a fresh install, then the Add Account screen appears.

  3. Enter the web address of the SecureAuth IdP app enrollment / OATH provisioning realm.

    If the default URL realm SecureAuth998 is used, then you only need to enter the Fully Qualified Domain Name – example:

    If a different realm is used for Multi-Factor Authentication URL app enrollment, then the entire URL address that includes the realm name is required – example:

  4. Click Start.

  5. Follow the configured workflow, which may include multi-factor authentication.

    The image example shows the Username + Password Only (on first page) workflow option.

  6. Set the PIN (if required in the app enrollment realm configuration) and click Enter.



    • Cannot contain consecutive, repeating digits – example: 33333333 or 1111

    • Cannot be forward or backwards sequential – example: 123456 or 87654321


    • If upgrading from an earlier version of the app, then you are prompted to create a PIN and re-connect to your profile if the realm requires a PIN.

    • An account on the app must be re-enrolled for multi-factor authentication if the connected realm now requires a PIN entry.

    • If accounts on the app use different PIN lengths, then the highest security setting (maximum 10 digits) is enforced for use on the app. To apply the highest security setting to all accounts, you must re-enroll accounts that are not using the highest security setting.

    • If multiple accounts exist on the app, you must create a PIN whenever you:

      • Add an account that requires a higher security setting, or

      • Delete the account that used the highest security setting.

  7. Confirm the PIN, and click Enter again.

    The OTP panel appears with the current one-time passcode (OTP) that can be used for Multi-Factor Authentication.

Passcode app account management

Using the Passcode app

  1. Start the app on your desktop.

  2. Enter your PIN, if prompted.

  3. The OTP panel appears showing a passcode 6 to 8 digits in length for each account tile on the app.

    The blue bar beneath the passcode indicates how much time remains to use the passcode for login, as configured by the administrator.

    The bar turns red when 10 seconds remain to use the current passcode. When the time has elapsed, a new passcode appears.

  4. Click Copy to copy the passcode to the clipboard for easy pasting on the login page.


Passcode app toolbar

Click the icon on the toolbar to execute the function described to the right:



The OTP panel appears with the current passcode for each account on a connected domain.


Add Account

The Add Account screen appears so you can connect an account to an additional domain.


Edit Accounts

The Edit Accounts screen appears on which you can rename, re-enroll, reorder, and delete accounts.


Change PIN

The PIN Selection screen appears so you can update the registered PIN.



Windows app only: The About screen appears which displays the Passcode app version number.


Minimize / Quit

Windows app only: The application minimizes or is exited.

Passcode app edit accounts

Clicking the pencil icon puts the app in edit mode, providing functions described below.


Click the icon on the account tile to enable the function described to the right:



Lets you rename a connected account.



Clears account connection data and restarts the account connection process.



Lets you organize the account tiles on the OTP panel.



Lets you remove a connected account.

End user experience

  1. Log on the realm you want to access and proceed through the configured workflow.

  2. On the Multi-Factor Authentication methods page, select the Time-based Passcode option from the list.

  3. Click Submit.

  4. Start the Passcode app.

  5. If a PIN is required to unlock the app, input the PIN and click Enter.

  6. On the OTP panel, click Copy on the account tile to copy the passcode.

  7. Paste the passcode in the Passcode box on the login page.

  8. Click Submit to access to the realm.


Release notes

Version 19.10.02

Release date: January 14, 2019

Compatibility: SecureAuth IdP 9.3.x or later

Resolved issue
  • OTP-76 – In Passcode version 19.10.02, if a SecureAuth administrator configures a PIN length greater than 4 digits, the Passcode app does not prompt end users for the longer PIN length for existing enrolled accounts. (Passcode prompts for the previous 4 digit PIN.)

    After the administrator upgrades to the latest Passcode app, one of the following applies to end users:

    • If the administrator allows end users to continue to use the old 4 digit PIN accounts, no change is needed.

    • If the end user account is new or the administrator enforces the longer PIN lengths, then end users must create a new account, set a new 6-, 8-, or 10-digit PIN, and enroll their new account.

Version 19.10

Release date: October 29, 2019

Compatibility: SecureAuth IdP 9.3.x or later

What's new
  • Custom PIN. For Windows users only, a custom PIN of 4, 6, 8, or 10 digits can now be configured on the URL app enrollment realm running on SecureAuth IdP version 9.3 or later. The PIN length corresponds to the security level to be enforced, where 10 digits is the highest security level.

    If an app is upgraded to this latest version, any account existing on the app must be re-enrolled if it is connected to a realm that now requires a PIN with a security level exceeding 4 digits to view the OTP on the app.

  • Spanish language support. For Windows users only, Spanish language is supported on the user interface (UI). No special setting is necessary; if the workstation is set to Spanish, the UI will display Spanish by default. Some error messages, enrollment, and validation page messages are sent from SecureAuth IdP, so ensure that it has Spanish set so end users receive all messages in Spanish.

Version 2.0.1

Release Date: February 23, 2017

Resolved issue
  • OTP-40 – Token registration fails when inline initialization is enabled in the provisioning realm (typically 998)