Documentation

 

 

Introduction

Use this guide to install and provision the SecureAuth Passcode for Windows application ("Passcode") for Multi-Factor Authentication on Windows desktop clients.

SecureAuth Passcode is a Windows desktop application that generates six- or eight-digit one-time passcodes (OTPs) that rotate based on the configured interval (e.g. every 60 seconds). The code can be used as an authentication option when logging into a resource protected by SecureAuth IdP.

Users can enroll one or more accounts with Passcode that can generate unique OTPs and can be edited or deleted through the interface.

The Passcode application supports optional PIN protection, which requires a user to enter a personal PIN to view the OTP.

Prerequisites

1. Minimum System Requirements:

  • Operating System
    • Microsoft Windows 7 (32-bit or 64-bit)
    • Microsoft Windows 8.1 (32-bit or 64-bit)
    • Microsoft Windows 10 (32-bit or 64-bit)
    • Microsoft Windows Server 2008 R2 (32-bit or 64-bit)
    • Microsoft Windows Server 2012
    • Microsoft Windows Server 2012 R2

2. Configure the App Enrollment Realm / OATH Provisioning Realm in the SecureAuth IdP Web Admin

Passcode supports both Single (OATH Seed) and Multi (OATH Token) configurations for SecureAuth IdP versions 8.1+

Passcode supports Roaming User Profiles in Active Directory environments

When enabled, seed and PIN values are shared on all machines on which the Passcode application is installed. Any changes to seeds, PINs, and/or accounts are reflected on other machines once the Passcode application on the other machine is restarted.

Requirements:

Installation Steps

Passcode can be installed using either the Wizard Install or the Silent Install option

Select an option and follow instructions for the preferred method only

 

1. Download the Passcode client application from the SecureAuth Downloads page

2. Start the Passcode2_0_1.msi file

 


 

The InstallShield Wizard window appears

3. Click Next to continue

4. Review the current settings, then click Next

5. If a User Account Control (UAC) confirmation appears, then click Yes to begin the installation

6. Wait for the InstallShield Wizard to install the client application to the device

 


 

 

7. Click Finish once the installation is complete

Passcode supports a silent install option (no user interaction required) via the Windows Command Line Interface

To perform a silent install, follow these steps:

1. Download the Passcode client application from the SecureAuth Downloads page

2. Start an elevated command prompt (Run as administrator)

3. Use the following syntax to perform a silent install:

Syntax:

<installerPath>\Passcode2_0_1.msi /quiet INSTALLDIR=<installDirectoryPath> ENROLLMENTURL=<enrollmentURLpath>
Example: 
C:\users\admin\Downloads\Passcode2_0_1.msi /quiet INSTALLDIR="C:\SecureAuth Files\Passcode" ENROLLMENTURL=secureauth.company.com

The INSTALLDIR and ENROLLMENTURL attributes are OPTIONAL

  • The INSTALLDIR attribute is only required if installing Passcode to a non-default location; the default location is C:\Program Files (x86)\Passcode
  • The ENROLLMENTURL attribute pre-fills the Add Account page with the URL when the end-user opens the application for the first time
    • The Add Account screen will display a notice to alert the end-user that "A web address has been provided by your administrator"; the end-user is able to modify this pre-filled URL if desired
    • If the administrator chooses to specify an account Enrollment URL in the command line syntax, then any existing provisioned accounts on the end-user's machine will be deleted
    • If using SecureAuth998 as the app enrollment realm, then only the domain name is required for the ENROLLMENTURL attribute (e.g. secureauth.company.com); if using a different realm for app enrollment, then the entire URL and realm name are required (e.g. https://secureauth.company.com/secureauth2)

Provisioning Steps

 

1. Start the Passcode client application from the Windows Start menu

The Passcode splash screen appears

 


 

If this is a fresh install, then the Add Account window opens

2. Provide the Server URL, which is the SecureAuth IdP App Enrollment / OATH Provisioning realm

If using SecureAuth998 as the app enrollment realm, then only the domain name is required (e.g. secureauth.company.com); if using a different realm for app enrollment, then the entire URL and realm name are required (e.g. https://secureauth.company.com/secureauth2)

3. Click Start

4. Follow the configured workflow, which may include Multi-Factor Authentication

Shown in the image is Username + Password Only (on 1st page)

 


 

5. Set the PIN (if required in the App Enrollment Realm configuration) and click Enter

PIN values contain the following restrictions:

  • Must not contain 4 repeating digits (e.g. '7777')
  • Must not be forward or backwards sequential ( e.g. '4567' or '7654')

6. Confirm the PIN, and click Enter again

The OTP Panel appears and the client application displays the one-time password (OTP) that can be used for Multi-Factor Authentication

Application Usage

 

When the application is opened, the OTP panel appears (after PIN entry, if required)

  • The OTP is either 6 or 8 digits in length, depending on admin configuration
  • The blue bar under the OTP digits indicates how much time remains to use the OTP for login (configured by admin)
    • The bar turns red when there are ten (10) seconds remaining; when the time is elapsed, a new OTP displays
  • Click the Copy button to the right of the OTP to copy the OTP to clipboard for easy input into the login page
Toolbar

Home

Displays the OTP panel, which shows the OTPs for all accounts on domains that have been provisioned
Add AccountOpens the Add Account screen, allowing the user to provision an additional domain
Edit Accounts

Opens the Edit Accounts screen. From here, the user can rename, re-enroll, reorder, and delete accounts

Change PINOpens the PIN Selection screen, allowing the user to change the registered PIN
AboutOpens the About screen, which displays the Passcode version number
Minimize and QuitMinimizes the application window or exits the application

Edit Accounts Screen

RenameRenames the provisioned account
Re-enrollClears out the provisioning data for the account and restarts the Provisioning process
ReorderDrag the 3 bars to reorder the accounts listed on the OTP panel
DeleteClick to delete the provisioned account
End-user Experience

In SecureAuth IdP 9.0.2+, when the end-user is presented the page of Multi-Factor Authentication methods from which to choose, the Multi-Factor Authentication method that was last selected and used in a successful login attempt persists as the default method for the next login in each device / browser 

 

1. Initiate the login process on a realm that enables OATH OTPs as a second-factor option (configured on the Registration Methods tab of the realm)

2. Follow the configured workflow

3. Once on the Multi-Factor Authentication methods page, select Time-based Passcode from the list of options, and click Submit

By default, the listing for the Time-based Passcode option is followed by the text "SecureAuth OTP Mobile App"

However, this listing applies to all devices and browsers provisioned for Single (OATH Seed) mode – e.g. mobile apps, desktop apps, etc.

In environments that support more than one type of OTP app, the end-user may not know this option also applies to desktop OTP apps

For these scenarios, SecureAuth recommends replacing the SecureAuth OTP Mobile App  label with a more generic name – e.g. SecureAuth OTP App – to improve the end-user experience and to minimize confusion
 

 Content Change Optional Configuration Steps

These configuration steps can be applied to any Passcode app provisioned for OATH Seed (Single) mode (based on Multi-Factor App Enrollment Realm configurations)

SecureAuth recommends making these modifications before end-users enroll their browsers / devices to avoid any caching issues on the client-side pages

Overview

 

 

1. In the Advanced Settings section, click Content and Localization

Verbiage Editor

 

2. Search for the registrationmethod_oath2 field and alter the content, e.g. SecureAuth OTP App

Click Save once the configurations have been completed and before leaving the Content and Localization page to avoid losing changes

Example Output

 

On the Registration Methods page, the option now displays as Time-based Passcode - SecureAuth OTP App

The Time-based Passcode - SecureAuth OTP Mobile App option is for all devices and browsers that are provisioned for OATH Seed (Single) mode; therefore, if using more than one OTP app (mobile apps, desktop apps, etc.), then a generic name is recommended, e.g. SecureAuth OTP App

 

4. Start the Passcode app

5. If a PIN is required to unlock the app, input the PIN and click Enter

6. On the account tile, click Copy to grab the passcode

 

7. Paste the passcode from the app onto the login page, and click Submit to gain access to the realm

Release Notes

Version 2.0.1

Released on February 23, 2017

Resolved Issue
OTP-40Token registration fails when inline initialization is enabled in the provisioning realm (typically 998)

6 Comments

  1. Anonymous

    I have a Nokia Lumina tablet running Windows 8.1 Mobile. I am not able to find a SecureAuth OTP client to download in the Windows Store.  A SecureAuth rep emailed a link to a product to download, which I did. However, it was in a format that Windows 8 Mobile could not expand. Am trying to find if there is a SecureAuth client for Windows 8 mobile devices (and specifically Nokia Lumina tablets, which are NOT Windows Phones.  I would have gotten a Surface but Verizon is my Wireless carrier and the new Surface tabs won't work with its G4 service (besides, Microsoft owns Nokia).

  2. You did not provide a specific Lumina model however most run Windows RT which we do not have a client application for at this time. 

    --

    Ryan Terp
    Support Engineer
    SecureAuth Corporation
  3. Anonymous

    It is a 2520. Your dashboard does not permit me to sign up for a new account, but at least one of your customers eagerly would await a client for Windows RT. Am tired of trying to do business stuff on my iToy, and already have a great notebook computer. Besides, Windows Ultrabooks don't work with Verizon 4G service. Hence the tablet. It does most everything else I want – but only with my own Microsoft Office 365 setup, not my work's.They require OTP to get to OWA. Please develop a client or a way to port it.

  4. The 2520 does use Windows RT. I will submit a feature request to our development team for a Windows RT version of the client. 

  5. Anonymous

    Is there a way to extend the OTP length to 8?

    1. Yes, the length can be extended to 8 if desired, Registration Method > OATH Settings > OATH Length.