Updated January 14, 2019
SecureAuth Passcode is a desktop application that generates one-time passcodes (OTPs) to use for validation during the login process.
The Passcode app must first be connected to your user profile via a SecureAuth IdP app enrollment realm before it can be used.
Once connected, the app generates a new passcode (configured for 6 or 8 digits) every 60 seconds. Input the current passcode on the login page to gain access to the resource protected by SecureAuth IdP.
You can enroll more than one Passcode account on the app and manage these accounts on the app.
Version 19.10 of the Passcode app supports optional PIN protection, which, if configured, requires you to enter your PIN to view the OTP.
See the Release notes to learn about new features in this release.
CONTENTS OF THIS DOCUMENT:
What's new in Passcode Windows app v19.10
For Windows users only, a custom PIN of 4, 6, 8, or 10 digits can now be configured on the URL app enrollment realm running on SecureAuth IdP version 9.3. The PIN length corresponds to the security level to be enforced, where 10 digits is the highest security level.
If an app is upgraded to this latest version, any account existing on the app must be re-enrolled if it is connected to a realm that now requires a PIN with a security level exceeding 4 digits to view the OTP on the app.
The following is the minimum Windows workstation requirements for end users.
|Supported OS versions|
Windows OS versions:
Windows Server OS versions:
|.NET Framework 4 or later|
1. Download and install Passcode app version 19.10.2 on your desktop:
2. Get the web address of the SecureAuth IdP app enrollment realm (version 9.3) you should use to:
- Enroll the app and provision it for Multi-Factor Authentication usage (if you do not have the app installed), or
- Re-enroll the app for Multi-Factor Authentication usage if you are upgrading from version 2.0.x to version 19.10.2.
3. Proceed to the Installation Steps.
Administrator: Windows server setup requirements
Requirements for optional Roaming User Profile Group Policy Object (GPO)
Roaming user profiles that are set up in Active Directory environments let users with computers joined to a Windows server domain log on another computer on the same network to access documents.
To use roaming user profiles with the Passcode app:
- A Roaming User Profile GPO must be enabled in Active Directory. See the Microsoft Technet article on deploying Roaming Profiles document.
- The Passcode app must be installed on each machine used by the roaming profile.
- Seed and PIN values are shared by all machines with Passcode apps installed.
- Any change to seeds, PINs, and accounts appears on other machines after the Passcode app on another machine is restarted.
- Refer to Multi-Factor App Enrollment (URL) realm configuration for additional information.
Installation configuration options
If you will use the Silent install option to install Passcode on end-user workstations:
- You can include the INSTALLDIR attribute in the silent installation syntax to install Passcode in a path other than the default location C:\Program Files (x86)\Passcode
- You can include the ENROLLMENTURL attribute in the silent installation syntax. This pre-populates the URL in the Add Account screen the first time the end user starts the app.
Using this option:
- You can configure the syntax to let the end user enter another web address to use instead of the one you provided.
- You can specify the account enrollment URL to be used. This configuration means that any existing, provisioned account on the end user's machine will be deleted.
Follow the installation steps for the Windows desktop.
1. Find the Passcode application you downloaded.
NOTE: The silent install option uses the Windows Command Line Interface (CLI) and requires administrator permissions. Be sure you have the syntax from the administrator before proceeding.
1. Double-click the Passcode .msi file to start the InstallShield Wizard.
2. Click Next to continue.
3. Review the current settings, then click Next.
4. If the User Account Control (UAC) confirmation appears, then click Yes to start the installation.
6. Wait for the InstallShield Wizard to install the client application.
7. Click Finish.
1. Click Start and then initiate a command prompt as an administrator.
2. Execute the following syntax to perform a silent install:
<installerPath>\PasscodeX_X_X.msi /quiet INSTALLDIR=<installDirectoryPath> ENROLLMENTURL=<enrollmentURLpath>
C:\users\admin\Downloads\PasscodeX_X_X.msi /quiet INSTALLDIR="C:\SecureAuth Files\Passcode" ENROLLMENTURL=secureauth.company.com
Optional installation steps:
- Use the INSTALLDIR attribute to install Passcode in a non-default location – the default location is C:\Program Files (x86)\Passcode
- Use the ENROLLMENTURL attribute to pre-populate the Add Account screen with the URL when starting the application for the first time.
- If the administrator has specified an account enrollment URL in the command line syntax, then any existing provisioned account on your machine will be deleted.
- If the default URL realm SecureAuth998 is used, then you only need to enter the Fully Qualified Domain Name – example: secureauth.company.com
- If a realm other than the default realm is used for Multi-Factor Authentication URL app enrollment, then the entire URL address that includes the realm name is required – example:
Connect an account to your user profile
1. Start the Passcode client application.
2. If this is a fresh install, then the Add Account screen appears.
3. Enter the web address of the SecureAuth IdP app enrollment / OATH provisioning realm.
If the default URL realm SecureAuth998 is used, then you only need to enter the Fully Qualified Domain Name – example: secureauth.company.com
If a different realm is used for Multi-Factor Authentication URL app enrollment, then the entire URL address that includes the realm name is required – example:
4. Click Start.
5. Follow the configured workflow, which may include Multi-Factor Authentication.
The sample image shows the Username + Password Only (on first page) workflow option.
6. Set the PIN (if required in the app enrollment realm configuration) and click Enter.
PIN VALUE RESTRICTIONS:
- Cannot contain consecutive, repeating digits – example: 33333333 or 1111
- Cannot be forward or backwards sequential – example: 123456 or 87654321
- If upgrading from an earlier version of the app, then you are prompted to create a PIN and re-connect to your profile if the realm requires a PIN.
- An account on the app must be re-enrolled for multi-factor authentication if the connected realm now requires a PIN entry.
- If accounts on the app use different PIN lengths, then the highest security setting (maximum 10 digits) is enforced for use on the app. To apply the highest security setting to all accounts, you must re-enroll accounts that are not using the highest security setting.
- If multiple accounts exist on the app, you must create a PIN whenever you:
- Add an account that requires a higher security setting, or
- Delete the account that used the highest security setting.
7. Confirm the PIN, and click Enter again.
The OTP panel appears with the current one-time passcode (OTP) that can be used for Multi-Factor Authentication.
App account management
Use the app
1. Start the app on your desktop.
2. Enter your PIN, if prompted.
3. The OTP panel appears showing a passcode 6 to 8 digits in length for each account tile on the app.
The blue bar beneath the passcode indicates how much time remains to use the passcode for login, as configured by the administrator.
The bar turns red when 10 seconds remain to use the current passcode. When the time has elapsed, a new passcode appears.
4. Click Copy to copy the passcode to the clipboard for easy pasting on the login page.
Click the icon on the toolbar to execute the function described to the right:
|The OTP panel appears with the current passcode for each account on a connected domain.|
|Add Account||The Add Account screen appears so you can connect an account to an additional domain.|
The Edit Accounts screen appears on which you can rename, re-enroll, reorder, and delete accounts.
|Change PIN||The PIN Selection screen appears so you can update the registered PIN.|
|About||Windows app only: The About screen appears which displays the Passcode app version number.|
|Minimize / Quit||Windows app only: The application minimizes or is exited.|
Edit accounts screen
Clicking the pencil icon puts the app in edit mode, providing functions described below.
Click the icon on the account tile to enable the function described to the right:
|Rename||Lets you rename a connected account.|
Clears account connection data and restarts the account connection process.
|Reorder||Lets you organize the account tiles on the OTP panel.|
|Delete||Lets you remove a connected account.|
End user experience
1. Log on the realm you want to access and proceed through the configured workflow.
2. On the Multi-Factor Authentication methods page, select the Time-based Passcode option from the list.
3. Click Submit.
4. Start the Passcode app.
5. If a PIN is required to unlock the app, input the PIN and click Enter.
6. On the OTP panel, click Copy on the account tile to copy the passcode.
7. Paste the passcode in the Passcode box on the login page.
8. Click Submit to access to the realm.
Release Date: January 14, 2019
Compatibility: SecureAuth IdP v9.3.x or later
In Passcode version 19.10.02, if a SecureAuth administrator configures a PIN length greater than 4 digits, the Passcode app does not prompt end users for the longer PIN length for existing enrolled accounts. (Passcode prompts for the previous 4 digit PIN.)
After the administrator upgrades to the latest Passcode app, one of the following applies to end users:
If the administrator allows end users to continue to use the old 4 digit PIN accounts, no change is needed.
If the end user account is new or the administrator enforces the longer PIN lengths, then end users must create a new account, set a new 6-, 8-, or 10-digit PIN, and enroll their new account.
New features and enhancements
Compatibility: SecureAuth IdP v9.3.x or later
|OTP-58||SecureAuth Passcode for Windows supports an optional security feature requiring a custom PIN (4, 6, 8, or 10 digits) to access a passcode from the app.|
|OTP-74||SecureAuth Passcode for Windows supports Spanish on the UI. No special setting is necessary; if the workstation is set to Spanish, the UI will display Spanish by default.|