How to import and enroll Feitian Hardware Keys (HOTP)

Last modified on 18 Jan, 2021. Revision 6
How to import and enroll Feitian Hardware Keys (HOTP)Prerequisites: EasyAccess server 3.x installed and running. Selfservice and/or MFA admin configured. Feitian OTP Tool: Feitian key that supports HOTP 
Up to date for
Easyaccess 3.x
Status OK

Preparingkey to be imported toEasyAccess

First we must gather the serial number and key from the Feitian key. This can be done with the Feitian OTP Tool. Start the tool and plugin youFeitian key, it should look something like this:

Nextweneed to generate a new HOTPclick the “Random data” buttonfollowed by “Save”. It shouldnowlook likethis:

Next the Serialnumber and Keyneeds to be saved to a .csvfile in the following format:HOTP;serial;key;counterExample:HOTP;0001161175088;D9B24C68B3FCD22909CECD2A0C235D831EF3253F;0

Importing the CSV file in EasyAccess

On the filesystem in /server foldertherearetwo folders /tokensin and /tokensout. To import a token the CSV filecreated in the first step needs to be placed in the /tokensin folder. The import willautomatically and when the import is done the filewill be moved to the /tokensout folder. Therewillalso be a log event generated and it looks like this:2021-01-11 13:23:03,832 [EVENT]  INFO: Jan 11 2021 13:23:03.819 CET mfa-node1 CEF:0|PhenixID|PAS|3.2.0|EVT_000101|Hardware Tokens imported from CSV file|2|The import is nowdone and all is leftnow is to enrollthe token on a user.

Enrolling the Feitian token. 

Therearetwowaysofenrolling a hardware token:<ol><li>Via self service i.e. the end userenrolls the token themselves.</li><li>An adminenrolls the token on behalf of the end user.</li></ol>Here is how it looks via Self Service:

Click the “Register hardware token”button:

Fill in theSerialNumberthatwasgeneratedbeforeeither byentering theserialmanually or byholding thebutton/touch on theFeitiankey for 3seconds.Clicknext.

Nextenter a OTP from theFeitiankey bypressing thebutton/touch on theFeitiankey.Clicknext and the tokenshouldnow beenrolled

Here ishow it looks from MFAAdmin under the “Hardware tokenAdmintab:

Click thepentoedit a token,youcansearch onserialnumber.

Hereyoucan set the statusof the token andwhatuser the token isassigned to.Click save toactivate.

Other alternatives to enroll a Feitian key

Therearetwomoremethods to enroll a Feitian key:<ol><li>Whenimporting the key on EasyAccess</li></ol><ol><li>Firsttime the user authenticates.</li></ol>Thesemethodsaremoreautomatic for the end user and adminof the system. In methodnumberoneweneed to add the user information to the CSV fileinsteadofthis format:HOTP;serial;key;counterWe use:HOTP;serial;key;counterassigned_usernameExample:HOTP;0001161175088;D9B24C68B3FCD22909CECD2A0C235D831EF3253F;0:testuser2Thiswouldautomaticallyassign the token to testuser2 and activate it. It would look like this on the Hardware Token Tabwhen the token has been imported:

Second methodrequires the end user to enter the serialnumber and OTP at first loginThisrequires the token to have the Status “Active” and weneed to addsomeconfiguration to the authentication flow.First set the token status to active via Hardware Token Admin and click save:

Add  the followingconfiguration to your “Verify token otp” pipe:

Set “Enable auto enroll” to true and add a TokenAutoEnrollment valve. Next the end usermust login to complete the enrollment.

Related articles

No related articles found.