LinOTP + SafeNet eToken PASS Time-based

277 views
Skip to first unread message

nick.e....@gmail.com

unread,
Sep 21, 2015, 4:44:14 PM9/21/15
to LinOTP
I've just received a shipment of SafeNet eToken PASS devices, SHA256, and they are time-based devices. I also received the PSKC.xml file, and imported the file into LinOTP. The import appears to be successful - I now have a list of tokens that correspond to serial numbers on the back of the physical tokens.

I've assigned one of these tokens to a user account in the system, and am trying to authenticate with it, but not having any success. Note that I routinely use Google Authenticator for HMAC Time-based soft tokens, and the system works fine, so, I believe I have everything set up correctly, I'm just not sure why I'm unable to authenticate with the OTP value on this token.

I did set a PIN, and I do have challenge/response set up. If I enter the username and then the PIN for the password, I get prompted for the OTP value - I enter the current value on the token, and am told that authentication fails. The logs don't seem to have anything useful as to why authentication fails.

Anyone have any hints? Anything I'm missing?

-Nick

nick.e....@gmail.com

unread,
Sep 21, 2015, 5:25:33 PM9/21/15
to LinOTP, nick.e....@gmail.com
One other thing - and I don't know if it has any significance or not - the "Type" column on these tokens shows up as "HMAC." While they are HMAC tokens, they are not the event-based ones, they are time-based, so I'm not sure if HMAC is the correct type or if they should be TOTP.

nick.e....@gmail.com

unread,
Sep 24, 2015, 8:35:52 PM9/24/15
to LinOTP
For anyone else out there who might be in the se boat, it looks like SafeNet has changed some things with their newer tokens. In particular, the PSKC.xml files they deliver do not properly specify the token as a TOTP device. When you import these tokens into LinOTP they show up as HMAC tokens. In my case I was able to log into the PostgreSQL database that stores my token info and update the column that stores the Type value from HMAC to TOTP for the rows that represent my physical, SafeNet eToken time-based devices. After doing that and performing a resync of the tokens they are working great.

This is a huge win for us - what would have cost $30K-$50K USD for us using an unnamed commercial OTP provider is going to cost $1500-$3000 with LinOTP - and that cost is just the cost of the physical tokens!

Angel T

unread,
Feb 29, 2024, 9:23:45 AM2/29/24
to LinOTP
Is it possible to use some software TOTP windows apps instead of SafeNet eToken Pass hardware token?
Reply all
Reply to author
Forward
0 new messages