Updated: October 22, 2018

Use this guide to install and provision the SecureAuth Passcode for Mac App to use in Multi-Factor Authentication on a desktop OS X device.


  1. Ensure the desktop device is using a 64-bit processor and running either:
    • OS X 10.9 - 10.11
    • macOS 10.12
  2. Download the SecureAuth Passcode for Mac App from the App Store.
  3. Configure the OATH Provisioning Realm / App Enrollment Realm in the SecureAuth IdP Web Admin for end users to enroll devices for passcodes by following steps in Multi-Factor App Enrollment (URL) realm configuration.
  4. Configure SecureAuth IdP realms in which OATH OTPs or Time-based Passcodes are used for multi-factor authentication.

Passcode Mac app provisioning steps

After the SecureAuth Passcode client has been installed on the OS X device, start the application; the splash screen is displayed.

Add an account 

  1. Provide the web address of the SecureAuth IdP OATH provisioning realm.

    If using SecureAuth998 as the Multi-Factor App Enrollment Realm, then only the Fully Qualified Domain Name (FQDN) is required; for example,

    If using a different realm for Multi-Factor App Enrollment, then the entire URL address which includes the realm name is required; for example,
  2. Click Start.
  3. Enter a username and password, then click Start.

  4. Choose the delivery method for you passcode and click Submit.

  5. Follow the configured workflow of the Multi-Factor App Enrollment Realm to validate the user identity.

    Shown here is the Username + Password, + Multi-Factor Authentication workflow.

    NOTE: A multi-factor authentication workflow does not need to be set in the configuration to validate the user identity.

  6. Select the multi-factor authentication method, and click Submit.

    This step is necessary only if a multi-factor authentication workflow is required.

  7. Enter the passcode received via the method selected in step 6, and click Submit.

    A different multi-factor authentication method can be used by clicking the link beneath the Submit button, which presents the screen in step 4.

  8. Enter the passcode received via the method selected in step 4, and click Submit.

Create a PIN

  1. Create a 4-digit PIN code to use for unlocking the app. The PIN code cannot contain repeating or sequential digits.
  2. Confirm this entry on the next screen.

    These steps are required only if the Multi-Factor App Enrollment Realm is set to require a PIN code for access.

    If this app is upgraded from the previous version (SecureAuth OTP Client for OS X) and a PIN is required to unlock the app, a secure PIN will be enforced if the end user attempts to change the PIN because 4 repeating digits or sequential digits (e.g., 33331234) are not permitted on this newer version of the app.

    NOTE: The SecureAuth IdP administrator can configure a set number of times the end user can enter an incorrect PIN before the OATH token and configuration are erased from the app.

Change a PIN 

  1. Click the gear icon on the app toolbar.
  2. The Change PIN screen is displayed.
  3. Provide the current PIN code and click Enter.
  4. Supply a new 4-digit PIN code and click Enter. The PIN code cannot contain repeating or sequential digits.
  5. Confirm the new PIN code on the next screen.

Passcode generation

The provisioned app appears with a one-time passcode that can be used in multi-factor authentication.

The passcode for this account is valid only for the period of time specified on the Multi-Factor App Enrollment RealmWhen the time period has elapsed, a new, auto-generated passcode replaces the expired account passcode. 

If a PIN is required to unlock the app, the gear icon appears upper right on the toolbar, as shown in the previous image.

App account management

Click an icon on the toolbar to specify the function you want to perform.

App functionToolbar iconInstructions
Add another account

  1. Click the + icon to add another account.
  2. Follow the steps in Add an account.

After the new account is added, the tile for the new account is displayed beneath the previous account tile.

Change PINSee Change a PIN.See Change a PIN.
Delete account

Click the red circle with minus sign icon on the account tile to delete the account.
Edit account

  1. Click the pencil icon to edit the account.
  2. On the edit screen, use objects on the account tile to modify the account.

You can change the order of account tiles for multiple accounts by dragging tiles.

Edit account name

On the account tile, click the account name to edit it.
Re-enroll account

  1. Select the account tile and click Re-Enroll.
  2. When the enrollment process initiates, follow the steps for Add an account.
Re-order accounts

On the account tile to be moved, click the hamburger icon and drag the account tile up or down to move it to the new position.

OATH OTP end-user experience

  1. Initiate the login process on a realm that enables OATH OTPs as a second factor option (configured on the Registration Methods tab of the realm).
  2. Follow the configured workflow.
  3. On the multi-factor authentication methods page, select Time-based Passcode from the list of options, and click Submit.

    By default, the listing next to the Time-based Passcode option is SecureAuth OTP Mobile App.

    This listing applies to all devices and browsers provisioned for Single (OATH Seed) mode; e.g., mobile apps, desktop apps, etc.

    In environments that support more than one type of OTP app, the end user might not know this option also applies to desktop OTP apps.

    If this scenario applies to your organization, you can replace the SecureAuth OTP Mobile App label with a more generic name, such as SecureAuth OTP App, to improve the end-user experience and to minimize confusion.

     Optional: Label change configuration steps...

    Apply the following configuration steps to any Passcode app provisioned for OATH Seed (Single).

    Complete these modifications before end users enroll their browsers or devices to avoid caching issues on client-side pages.

    1. In the Advanced Settings section, click Content and Localization.

    2. In the Verbiage Editor, Search for (CTRL + F / CMD + F) registrationmethod_oath2 and alter the content; for example, SecureAuth OTP App.

    3. Click Save.

    4. On the Delivery Method page, the option now shows Time-based Passcode - SecureAuth OTP App.

  4. Start the app.

  5. If a PIN is required to unlock the app, enter the PIN and click Enter. On the account tile, click Copy to grab the passcode.
  6. Paste the passcode from the app on the login page, and click Submit to gain access to the realm or application.

Release notes

Version 2.0
Released on November 01, 2016

What's NewMultiple account support
New UX and Branding

Weak PIN protection

Brute force protection
App hardening
Resolved Issues

Debug logging data gaps

  • No labels