Binding devices to user accounts#
Binding HOTP and TOTP devices via the Admin console differs depending on whether key fob hardware or mobile apps are used.
Binding of hardware keyfobs#
To be able to use hardware HOTP and TOTP devices as authentication tools, the administrator must first load a file with the device batch descriptions received from the device vendor in the ”Devices” menu of the Admin Console. The file contains information about the device serial number, initialization vector, and a number of other settings. Blitz Identity Provider supports uploading of common file formats (specialized XML files, CSV files) of device description files from different device manufacturers.
To perform a file upload, you must specify a name for the uploaded generators (it can be, for example, the device name), the data format, and the path to the file with device descriptions. When you click the “Download” button, Blitz Identity Provider will report how many device records were loaded or discarded (if their description in the file was incorrect or the device record is already present in the system).
An example of a downloadable Aladdin/SafeNet XML
format file for HOTP devices with the SHA-1 algorithm with a minimum set of parameters:
<?xml version="1.0" encoding="utf-8"?>
<Tokens>
<Token serial="SN123">
<Applications>
<Application>
<Seed>7bba106e428231c4d4e78361375d161c2d59b40b</Seed>
<MovingFactor>0</MovingFactor>
</Application>
</Applications>
</Token>
</Tokens>
Explanation of the parameter values in the file:
serial
- serial number of the device.Seed
is the device key in hexadecimal (hex) format.Note
If a software one-time code generator is used to emulate a HOTP device, a Base32 string is usually entered as a secret in the software generator. In this case, the value from Seed must be converted from hex to Base32, and the resulting value must be used in the program generator.
MovingFactor
- initial value of the generator (usually 0).
Under ”Devices” you can also search for a device by serial number and see, if and to which account the found device has been bound.
After loading the file you should:
go to the account of the user to whom you want to bind the device (menu “Users”, see Binding devices for 2FA with a one-time password);
find the “Time-based password generator (TOTP)” or “Secret-based password generator (HOTP)” section;
select “Another type»;
enter the serial number of the required device and the current one-time confirmation code.
Binding a mobile application#
To bind a mobile application you must:
go to the account of the user to whom you want to bind the mobile application (menu “Users”, see Binding devices for 2FA with a one-time password);
find the section “Time-based password generator (TOTP)”;
select «GoogleAuthenticator»;
edit the name of the mobile application, if necessary;
using the mobile application, take a picture of the displayed QR code or enter a secret line into the application.
The user can also independently link the mobile application generating TOTP codes in the web application “User profile”.