Hardware Tokens

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

A hardware token is a physical device with a built-in token that your users can use for authentication. You can purchase WatchGuard hardware tokens or you can use third-party hardware tokens with AuthPoint. To do so, you must:

  1. Buy supported hardware tokens from WatchGuard or a third-party vendor.
  2. Import hardware tokens to AuthPoint.
  3. Assign hardware tokens to users.
  4. Activate hardware tokens.

Each AuthPoint user can have up to 20 software tokens and any number of hardware tokens.

For RADIUS authentication, hardware tokens support the PAP protocol only. Hardware tokens do not support RADIUS authentication with the MS-CHAPv2 protocol.

You cannot use WatchGuard hardware tokens with third-party MFA services. You can only use WatchGuard hardware tokens with AuthPoint MFA.

Supported Hardware Tokens

Hardware tokens must meet these requirements:

  • Response Format — Six-digit time-based OTP that includes only numbers with a 30 or 60-second time interval
  • Algorithm — OATH time-based OTP (RFC 6238)
  • Seed Delivery — OATH PSKC file (RFC 6030)

WatchGuard hardware tokens are automatically associated with your account, so you do not need a seed file. This makes the process to import tokens safer and easier.

Import Hardware Tokens to AuthPoint

You must import hardware tokens to your AuthPoint account. The import process is different for WatchGuard hardware tokens and third-party hardware tokens.

WatchGuard Hardware Tokens

To import WatchGuard hardware tokens, you provide the serial number of an individual hardware token or a box of hardware tokens. You can import a WatchGuard hardware token into multiple accounts. You might do this if you have an administrative or support user in several managed accounts.

Third-Party Hardware Tokens

To import third-party hardware tokens into AuthPoint, you must upload a seed file and provide a key. You receive the seed file and key from your hardware token vendor. The seed file must be encrypted.

  • Seed File — The seed file is a Portable Symmetric Key Container (PSKC) file that is used to import hardware token information into AuthPoint. This file contains device information for each hardware token. The accepted file types for a seed file are .XML, .PSKC, .TXT, and .VIP.
  • Key — The key is used to decrypt the seed file so AuthPoint can validate the one-time passwords (OTPs) that the hardware tokens generate. The key can be a string of characters that you type in AuthPoint or a file that you upload. The accepted file types for a key file are .TXT and .BIN.

If you are a Service Provider, make sure that you import the hardware tokens to the AuthPoint account that will use them.

After you import your hardware tokens to AuthPoint, you must assign the tokens to users and then activate the tokens.

If you have configured the IdP portal, users can activate their own hardware tokens from the IdP portal. For more information, see Activate a Hardware Token.

Assign a Hardware Token to a User

You can assign hardware tokens to a user from the Hardware Tokens page or the Users page.

When a user activates hardware tokens from the IdP portal, AuthPoint automatically assigns the activated tokens to the user that activated them.

Activate a Hardware Token

After you assign a hardware token to a user, you must activate the token before it can be used for authentication. You can activate hardware tokens from the Hardware Tokens page or the Users page.

Users can also activate their own hardware tokens from the IdP portal. When a user activates hardware tokens from the IdP portal, AuthPoint automatically assigns the activated tokens to the user that activated them.

Authentication with Hardware Tokens

You can use hardware tokens to authenticate with an OTP. You authenticate with hardware tokens the same way you authenticate with the software tokens on your phone. When you access a resource that requires authentication, select the option to authenticate with OTP and type the OTP shown on your hardware token.

For more information, see About Authentication.

Filter the Hardware Tokens List

You can apply filters to the list of hardware tokens so that it is easier to see specific tokens. You might do this after you import a large number of hardware tokens if you want to see only specific tokens in the list, such as unassigned tokens or tokens that have a specific status.

To apply filters to the hardware tokens list:

  1. Click Filter Icon.
    The Filter Hardware Tokens window appears.

Screen shot of the filter icon on the Tokens page.

  1. Select the filters you want to apply. You can select multiple filters.

Screen shot that shows the Filter Hardware Tokens window.

  1. Click Apply Filters.

Each filter that you apply appears at the top of the hardware tokens list. To remove a filter, click Remove Icon next to the filter label.

Screen shot that shows the hardware tokens list with filters applied.

Related Topics

Hardware Token Import Details

Sync Hardware Tokens

About Authentication

Block a User or Token

Add New Software Tokens

Activate a Token