Hardware token

This administration page is only available to the administrator of a client.

Instead of the usual two-factor authentication via email or app, you can also set up authentication for your client's users using OTP tokens (one-time password tokens). This offers even greater security, as it is a physical hardware token that is difficult to access for third parties.

Set up hardware token as login method

To set up such a hardware token as a login method for a user, first click on Add. Then select the user in the drop-down list for whom the token is to be set up and enter the serial number of the token (the number can usually be found on the back of the token).

Token Secret

Next, enter the token secret associated with the hardware token. The token secret is required by konfipay so that the generation of OTP codes can function.

You will receive this token secret from the manufacturer of the hardware token. Please note that the token manufacturer often only provides the token secret for a limited period of time (e.g. 30 days after ordering). It is essential that you save or store the Token Secret in a safe place within this period. If the Token Secret is lost, the hardware token cannot be set up again. Therefore, keep the Token Secret for as long as the hardware token is to be used.

Further settings

In the next step, enter the coding and algorithm used by the hardware token. This information can usually be found in the accompanying documentation from the hardware token manufacturer.

Also enter the time interval for which an OTP code is valid. You will also find this information in the documentation accompanying the hardware token - as well as the length of an OTP code, which you enter next.

The expiration date is for information purposes only and represents the lifetime of the hardware token battery expected by the manufacturer. This information can also be found in the accompanying documents. If the expiration date is properly entered, you can quickly see in the future which hardware tokens need to be replaced due to their age.

Check OTP code

Once you have set up a hardware token, you can check if it’s working by selecting the corresponding user/token in the list and clicking on Check OTP code. You can then enter an OTP code as a test and check whether it is accepted.

If the setup was successful, konfipay will report that the verification of the one-time password (OTP) was successful.

Transfer hardware token to another user

It is possible to pass on a hardware token that has already been set up to another user if, for example, the previous user leaves your company.

To do this, select the token in the list of hardware tokens and click on Edit. Select the new user from the drop-down list and click on Save.

Deactivate login with hardware token

The two-factor authentication of a user with a hardware token can only be deactivated by the administrator of a client. To do this, you must delete the stored hardware token by selecting the hardware token in the list and clicking on Delete. The user's two-factor authentication is then reset to the last method used (email or app).

Compatible hardware tokens

You can use various hardware tokens from different manufacturers for two-factor authentication in konfipay. All TOTP (Time-based One-time Password) tokens that generate passwords according to the OATH standard are supported.

konfipay is flexible in terms of the length of the two-factor code and the interval at which new passwords are generated. Likewise, konfipay can allow various algorithms and coding formats for keys.

The various options are shown in the table below. If your hardware token fulfills one of the possible options from the various categories, you can use the token for two-factor authentication in konfipay without any problems.