Hardware-based MFA tokens: Token2 main use cases and solutions

The use of mobile apps for MFA, also known as software authenticators, is both easy and cost-effective as a strong authentication method. But there are cases when authenticator apps aren't a good fit.

For example, a user might refuse to use their personal mobile phone or home phone for authentication. Or, IT may run up against internal policies, government laws and regulations, or environmental factors, such as a factory where mobile phones are forbidden to minimize the risk of explosions, etc.

IS Decisions partners with Token2 to allow hardware devices as the second factor for secure user authentication with UserLock.

Token2 and hardware MFA tokens

Token2 is a Swiss company specializing in multifactor authentication hardware devices. Originally, Token2 was actually part of a multifactor authentication research project at the University of Geneva. The project led to the spin-off startup company in 2013. Now, Token2 supplies hardware tokens to organizations such as Microsoft, RedHat, the U.S. Government, the Government of Geneva, Valais and Vaud, along with many European and U.S. universities, and more.

Token2 provides two different types of hardware authenticators that can be used as an MFA method with UserLock to protect your Active Directory identities.

Programmable TOTP tokens

Token2 programmable TOTP tokens come in different variations and form-factors but share the same principle behind them - they act as drop-in replacement for software authenticator apps and can be deployed similarly.

When the UserLock MFA wizard prompts you to scan a QR code with a mobile app, it is easy to replace this option with a hardware TOTP token: the QR code must be scanned with one of Token2's token provisioning app (NFC burner, for NFC-programmable tokens, or USB Config tool for USB-programmable ones). The subsequent user logins require nothing else, the hardware token will work as a complete standalone and offline OTP generator.

Read the doc
How to enroll and use Token2 programmable TOTP tokens with UserLock MFA

USB security keys

Starting from version 11, UserLock natively supports Token2 T2F2 security keys (second-generation only: ALU/AZ and NFC) by utilizing the HOTP functionality of these keys. Although the concept is similar to the TOTP tokens, the provisioning and the login procedures are different.

First of all, no additional device or app is needed with USB security keys: the provisioning is implemented natively by the UserLock agent.

Furthermore, no sensitive information is transferred over to the user. This is in contrast to the provisioning QR code with TOTP, which contains the secret required for generating the OTP codes. With HOTP provisioning, the secret is written directly onto the device without transferring it elsewhere. The user experience is also better, both when provisioning and when logging in.

During the MFA enrollment process, if a compatible Token2 key is detected, the system will display a "Link Token2” button to start the process.

Logging in with a Token2 USB security key is even easier. When the MFA prompt asks you to enter the OTP, pressing the physical button on the USB key is enough to log in. This will populate the OTP field and submit it, as the keys are configured to send the “Enter” key together with the OTP digits by default.

Read the doc
How to enroll and use Token2 USB Security keys with UserLock MFA