Use this guide to install and provision the SecureAuth Passcode for Mac App to use in Multi-Factor Authentication on a desktop OS X device.


1. Ensure the desktop device is using a 64-bit processor and running either

  • OS X 10.9 - 10.11
  • macOS 10.12

2. Download the SecureAuth Passcode for Mac App from the App Store

3. Configure the OATH Provisioning Realm / App Enrollment Realm in the SecureAuth IdP Web Admin for end-users to enroll devices for passcodes

NOTE: The name of the OATH provisioning / enrollment realm has changed since the release of pre-8.0 SecureAuth IdP – as of version 9.0.x, the realm is called Multi-Factor App Enrollment Realm which is the name used throughout this document

Additionally, since the release of SecureAuth IdP 8.2, OATH OTPs are called Time-based Passcodes

4. Configure SecureAuth IdP realm(s) in which OATH OTPs / Time-based Passcodes are used for Multi-Factor Authentication

Passcode Mac App Provisioning Steps

1. Once the SecureAuth Passcode client has been installed on the OS X device, start the application; the splash screen appears

Add Account


2. Provide the web address of the SecureAuth IdP OATH Provisioning Realm

If using SecureAuth998 as the Multi-Factor App Enrollment Realm, then only the Fully Qualified Domain Name (FQDN) is required – e.g.

If using a different realm for Multi-Factor App Enrollment, then the entire URL address which includes the realm name is required – e.g.

3. Click Start 


4. Follow the configured workflow of the Multi-Factor App Enrollment Realm to validate the user identity

Shown here is the Username + Password, + Multi-Factor Authentication workflow

NOTE: A Multi-Factor Authentication workflow does not need to be set in the configuration to validate the user identity

5. Click Submit

Steps 6 to 7 are presented only if a Multi-Factor Authentication workflow is required

6. Select the Multi-Factor Authentication method, and click Submit

For step 7, a different Multi-Factor Authentication method can be used by clicking the link beneath the Submit button which presents the screen in step 6

7. Enter the passcode received via the method selected in step 6, and click Submit

Create PIN


8. Create a 4-digit PIN code – without repeating or sequential digits – to use for unlocking the app

9. Confirm this entry on the next screen

These steps are only required if the Multi-Factor App Enrollment Realm is set to require a PIN code for access

If this app is upgraded from the previous version (SecureAuth OTP Client for OS X) and a PIN is required to unlock the app, a secure PIN will be enforced if the end-user attempts to change the PIN – i.e. 4 repeating digits or sequential digits (e.g. 1234) are not permitted on this newer version of the app

NOTE: The SecureAuth IdP Admin can configure a set number of times the end-user can enter an incorrect PIN before the OATH token and configuration are erased from the app

Passcode Generation


10. The provisioned app appears with a one-time passcode that can be used in Multi-Factor Authentication

The passcode for this account is valid only for the period of time specified on the Multi-Factor App Enrollment Realm

When this time period has elapsed, a new, auto-generated passcode replaces the expired account passcode

The gear icon appears upper right on the toolbar – as in the image below – if a PIN is required to unlock the app

App Account Management

Click an icon on the toolbar to specify the function to perform

Add Another Account

1. Click the + icon to add another

2. Follow the steps in Add Account


3. When the new account is added, the tile for that account appears beneath the previous account tile

Edit Account(s)

1. Click the pencil icon


2. The edit screen appears

Use objects on the account tile to modify the account

Account tiles can be re-ordered if more than one account appears on this app

Edit Account Name

On the account tile, click to the right of the pencil icon to edit the account name

Delete Account


Click the red circle with minus sign icon on the account tile to delete the account

Re-enroll Account


Select the account tile and click Re-Enroll

When the enrollment process initiates, follow the steps for Add Account

Re-order Accounts


On the account tile to be moved, click the three bars icon and drag the account tile up / down to move it to the new position

Change PIN

The gear icon appears upper right on the toolbar only if a PIN is required to unlock the app


1. Click the gear icon on the app toolbar

2. The Change PIN screen appears

3. Provide the current PIN and click Enter

4. Supply a new 4-digit PIN – without repeating or sequential digits – and click Enter

5. Confirm the new PIN on the next screen

OATH OTP End-user Experience

1. Initiate the login process on a realm that enables OATH OTPs as a second factor option (configured on the Registration Methods tab of the realm)

2. Follow the configured workflow

3. Once on the Multi-Factor Authentication methods page, select Time-based Passcode from the list of options, and click Submit

By default, the listing for the Time-based Passcode option is followed by SecureAuth OTP Mobile App

This listing applies to all devices and browsers provisioned for Single (OATH Seed) mode – e.g. mobile apps, desktop apps, etc.

In environments that support more than one type of OTP app, the end-user may not know this option also applies to desktop OTP apps

For these scenarios, SecureAuth recommends replacing the SecureAuth OTP Mobile App label with a more generic name – e.g. SecureAuth OTP App – to improve the end-user experience and to minimize confusion

 See Content Change Optional Configuration Steps...

These configuration steps can be applied to any Passcode app provisioned for OATH Seed (Single)

SecureAuth recommends making these modifications before end-users enroll their browsers / devices in order to avoid caching issues on client-side pages


1. In the Advanced Settings section, click Content and Localization

Verbiage Editor

2. Search for (CTRL + F / CMD + F) registrationmethod_oath2 and alter the content – e.g. SecureAuth OTP App

Click Save once the configuration is complete and before leaving the Content and Localization page to avoid losing changes 

Sample Delivery Method page

On the Delivery Method page, the option now shows Time-based Passcode - SecureAuth OTP App


4. Start the app

5. If a PIN is required to unlock the app, input the  PIN and click  Enter

6. On the account tile, click Copy to grab the passcode

7. Paste the passcode from the app on the login page, and click Submit to gain access to the realm

Release Notes

Version 2.0

Released on November 01, 2016

What's NewMultiple account support
New UX and Branding

Weak PIN protection

Brute force protection
App hardening
Resolved Issues

Debug logging data gaps