Users assigned a hardware token can authenticate using a dynamic password (a number generated by the hard token device) in response to an Identity as a Service challenge. When using RADIUS authentication, tokens support PAP/CHAP/MSCHAP and EAP .
Identity as a Service supports the following hardware tokens:
● Time-based token (OT)—Generates a new OTP every 30 seconds.
● Time-based token (AT)—Generates a new OTP using the current time as an input each time the button is pressed.
● Event-based token—Generates a new OTP each time the button is pressed.
● TokenCR—Generates a new OTP based on the token challenge displayed by IDaaS and entered into the token by the user.
Identity as a Service supports the following hardware tokens:
● Entrust Legacy Tokens—Entrust AT Mini Tokens for customers who use Entrust Legacy tokens and are migrating from Entrust Identity Enterprise to Identity as a Service. See Modify Entrust legacy token settings.
● Hardware Tokens—OATH tokens that support a standard seed file. This includes Entrust CR C200 and C300 tokens, NagraID Display Cards, Yubico Yubikeys, and TokenCRs. See Modify hardware token settings.
To use a TokenCR (Token Challenge/Response) hardware token, you additionally need to create a custom user login authentication flow that uses Token/Challenge Response for second-factor authentication. See Create authentication flows.
Topics in this section include:
● Modify Entrust legacy token settings
● Modify hardware token settings