SecureAuth Passcode app for Windows
Updated December 15, 2022
SecureAuth Passcode for Windows is a desktop application that generates one-time passcodes (OTPs) to use for validation during the login process.
The Passcode app must first be connected to your user profile via a SecureAuth Identity Platform app enrollment realm before it can be used.
Once connected, the app generates a new passcode (configured for 6 or 8 digits) every 60 seconds. Input the current passcode on the login page to gain access to the application protected by the SecureAuth Identity Platform.
You can enroll more than one Passcode account on the app and manage these accounts on the app.
Note
Passcode app version 19.14 or later supports the ability to register the Passcode app on more than one Windows computer. This applies to Identity Platform OATH Token enrollments.
It requires an Identity Platform hotfix update to releases 19.07.01 or later.
Passcode app version 19.10 or later supports optional PIN protection, which, if configured, requires you to enter your PIN to view the OTP.
For a summary of release information, see Passcode for Windows release notes.
Prerequisites
Before you set up Passcode for Windows, review the following prerequisites.
Workstation requirements
The following are minimum workstation requirements for end users.
Supported on Windows 8.1 or later
Supported on Windows Server 2008 R2 or later
.NET Framework 4.5 or later
Before you begin
From the SecureAuth product downloads page, download the SecureAuth Passcode for Windows MSI file.
Get the URL of the SecureAuth Identity Platform app enrollment realm you should use to:
Enroll the app and provision it for Multi-Factor Authentication usage (if you do not have the app installed), or
Re-enroll the app for Multi-Factor Authentication usage if you are upgrading from an earlier Passcode app version
Optional Windows Server configuration
If you want to use roaming user user profiles with the Passcode app, read on to learn more.
Roaming user profiles that are set up in Active Directory environments let users with computers joined to a Windows server domain log on another computer on the same network to access documents.
To use roaming user profiles with the Passcode app:
A Roaming User Profile GPO must be enabled in Active Directory. See the Microsoft Technet article on deploying Roaming Profiles document.
The Passcode app must be installed on each machine used by the roaming profile.
Note
Seed and PIN values are shared by all machines with Passcode apps installed.
Any change to seeds, PINs, and accounts appears on other machines after the Passcode app on another machine is restarted.
Refer to the Multi-Factor App Enrollment (URL) realm configuration topic for additional information.
Install Passcode for Windows
To install Passcode for Windows, you can use the Wizard install or Silent install.
Note
The silent install option uses the Windows Command Line Interface (CLI) and requires administrator permissions. Be sure you have the syntax from the administrator before proceeding.
Wizard install
Find the Passcode application you downloaded.
To start the installation, double-click the
passcode.msifile.
Click Next.
Review the current settings, then click Next.
If the User Account Control (UAC) confirmation appears, then click Yes to start the installation.
When the installation completes, click Finish.
Silent install
If you use the silent install option to install Passcode for Windows on end-user workstations:
You can include the INSTALLDIR attribute in the silent installation syntax to install Passcode in a path other than the default location C:\Program Files (x86)\Passcode
You can include the ENROLLMENTURL attribute in the silent installation syntax. This pre-populates the URL in the Add Account screen the first time the end user starts the app.
With this option:
You can configure the syntax to let the end user enter another web address to use instead of the one you provided.
You can specify the account enrollment URL to be used. This configuration means that any existing, provisioned account on the end user's machine will be deleted.
Find the Passcode for Windows .msi file you downloaded.
Note
The silent install option uses the Windows Command Line Interface (CLI) and requires administrator permissions. Be sure you have the syntax from the administrator before proceeding.
Click Start and then initiate a command prompt as an administrator.
Execute the following syntax to perform a silent install:
<installerPath>\PasscodeX_X_X.msi /quiet INSTALLDIR=<installDirectoryPath> ENROLLMENTURL=<enrollmentURLpath>
For example:
C:\users\admin\Downloads\PasscodeX_X_X.msi /quiet INSTALLDIR="C:\SecureAuth Files\Passcode" ENROLLMENTURL=secureauth.company.com
Optional installation steps:
Use the
INSTALLDIRattribute to install Passcode in a non-default location – the default location is C:\Program Files (x86)\PasscodeUse the
ENROLLMENTURLattribute to pre-populate the Add Account screen with the URL when starting the application for the first time.If the administrator has specified an account enrollment URL in the command line syntax, then any existing provisioned account on your machine will be deleted.
If the default URL realm SecureAuth998 is used, then you only need to enter the Fully Qualified Domain Name – example: secureauth.company.com
If a realm other than the default realm is used for Multi-Factor Authentication URL app enrollment, then the entire URL address that includes the realm name is required. For example: https://secureauth.company.com/secureauth2
Connect an account to your user profile
Start the Passcode client application.
If this is a fresh install, then the Add Account screen appears.
Enter the URL of the Identity Platform Multi-Factor Authentication URL enrollment / OATH provisioning application.
If the default URL realm SecureAuth998 is used, then you only need to enter the Fully Qualified Domain Name. For example,
secureauth.company.comIf a different realm is used for Multi-Factor Authentication app enrollment, then the entire URL address that includes the realm name is required. For example,
https://secureauth.company.com/secureauth2Click Start.
Follow configured login workflow, which might include multi-factor authentication to connect a Passcode account to your user profile.
In the following example, this is the Username + Password workflow option.
If required in the app enrollment realm configuration, create your PIN and click Enter.
PIN value restrictionsCannot have consecutive and repeating digits. For example, 33333333 or 1111
Cannot have forward or backward sequential numbers. For example, 123456 or 87654321
PIN rulesIf you've upgraded to a newer version of the Passcode app, it will prompt you to create a PIN and reconnect to your profile if the realm requires a PIN.
An account on the app must be re-enrolled for multi-factor authentication if the connected realm now requires a PIN entry.
If accounts on the app use different PIN lengths, then it enforces the highest security setting (maximum 10 digits) for use on the app. To apply the highest security setting to all accounts, you must reenroll accounts that are not using the highest security setting.
If multiple accounts exist on the app, you must create a PIN whenever you:
Add an account that requires a higher security setting, or
Delete the account that used the highest security setting
Confirm the PIN, and click Enter again.
The OTP panel appears with the current one-time passcode (OTP) that you can use for multi-factor authentication (MFA).
Using Passcode for Windows
Start the app on your desktop.
If prompted, enter your PIN.
The Passcode app home page displays, showing a passcode 6 to 8 digits in length for each account on the app.
The blue bar beneath the passcode indicates how much time remains to use the passcode for login, as configured by your administrator.
The bar turns red when 10 seconds remain to use the current passcode. When the time has elapsed, a new passcode appears.
Click Copy to copy the passcode to the clipboard for easy pasting on the login page.
Passcode app toolbar
Learn more about the Passcode app functions.
|
| Home | The home page appears with the current passcode for each account on a connected domain. | |
| Add Account | Use this option to add another account. | |
| Edit Accounts | Use this option to manage your accounts. For example you can rename, reenroll, reorder and delete your account. | |
| Change PIN | Use this option to change your registered PIN. | |
| About | Click About to display the Passcode app version number. | |
| Minimize / Quit | Exit or minimize the Passcode app. is exited. |
Passcode app account management
Clicking the pencil icon puts the app in edit mode, providing functions described below.
 |
Click the icon on the account tile to enable the function described to the right:
| Rename | Click this icon next to a connected account name to rename it. | |
| Re-enroll | Use this option to clear account connection data and restart the account connection process. | |
| Reorder | Click and hold to drag and drop the account up or down the list. | |
| Delete | Use this option to remove a connected account from the Passcode app. |
End user login experience
Log in to the application you want to access and proceed through the configured login workflow.
From the list delivery methods, select the Time-based Passcode option.
Click Submit.
Start the Passcode app.
If a PIN is required to unlock the app, enter your PIN and click Enter.
On the Passcode home page, click Copy on the account tile to copy the passcode.
Paste the passcode in the Passcode box on the login page.
Click Submit to access to the realm.
