Securenvoy Soft Token Download
Inez Brisker
All SecurEnvoy customers can utilise the latest Soft Token at no additional cost. This allows users who may have issues with SMS deliverability to use a soft token, or for customers who wish to manage and reduce their existing SMS costs.
This is the same for other authenticator apps such as Microsoft Authenticator. While we support the use of 3rd party Authenticator apps, we recommend using the SecurEnvoy Authenticator app as it provides push notification functionality and enhanced copy protection.
Soft token applications are available for all major mobile and desktop operating systems, including iPhone, Blackberry Android, Mac OSX, Windows Phone 7, 8, 10, and more. They allow users to move seamlessly and securely between devices, with no additional cost or helpdesk input required. Any previous device can be deleted, rendering it safe to sell or dispose of.
The simplified management capabilities offered by soft tokens mean IT administration demands are significantly reduced. Not only does automated user deployment make enrolment easier, it also lessens the ongoing burden for IT. This places the user in control of which device they use and the type of authentication method they prefer.
User deployment can be achieved on Group membership, OU or any other LDAP filtering. Advanced soft token solutions (like ours) will also have a reporting function, providing detailed information about what mode of operation each user is set-up for, allowing administrators to easily control and monitor their two-factor authentication estate.
Because software tokens are something one does not physically possess, they are exposed to unique threats based on duplication of the underlying cryptographic material - for example, computer viruses and software attacks. Both hardware and software tokens are vulnerable to bot-based man-in-the-middle attacks, or to simple phishing attacks in which the one-time password provided by the token is solicited, and then supplied to the genuine website in a timely manner. Software tokens do have benefits: there is no physical token to carry, they do not contain batteries that will run out, and they are cheaper than hardware tokens.[2]
The shared secret architecture is potentially vulnerable in a number of areas. The configuration file can be compromised if it is stolen and the token is copied. With time-based software tokens, it is possible to borrow an individual's PDA or laptop, set the clock forward, and generate codes that will be valid in the future. Any software token that uses shared secrets and stores the PIN alongside the shared secret in a software client can be stolen and subjected to offline attacks. Shared secret tokens can be difficult to distribute, since each token is essentially a different piece of software. Each user must receive a copy of the secret, which can create time constraints.
Some newer software tokens rely on public-key cryptography, or asymmetric cryptography. This architecture eliminates some of the traditional weaknesses of software tokens, but does not affect their primary weakness (ability to duplicate). A PIN can be stored on a remote authentication server instead of with the token client, making a stolen software token no good unless the PIN is known as well. However, in the case of a virus infection, the cryptographic material can be duplicated and then the PIN can be captured (via keylogging or similar) the next time the user authenticates. If there are attempts made to guess the PIN, it can be detected and logged on the authentication server, which can disable the token. Using asymmetric cryptography also simplifies implementation, since the token client can generate its own key pair and exchange public keys with the server.
OATH TOTP (Time-based One Time Password) is an open standard that specifies how one-time password (OTP) codes are generated. OATH TOTP can be implemented using either software or hardware to generate the codes. Microsoft Entra ID doesn't support OATH HOTP, a different code generation standard.
Software OATH tokens are typically applications such as the Microsoft Authenticator app and other authenticator apps. Microsoft Entra ID generates the secret key, or seed, that's input into the app and used to generate each OTP.
Some OATH TOTP hardware tokens are programmable, meaning they don't come with a secret key or seed pre-programmed. These programmable hardware tokens can be set up using the secret key or seed obtained from the software token setup flow. Customers can purchase these tokens from the vendor of their choice and use the secret key or seed in their vendor's setup process.
Microsoft Entra ID supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. Customers can purchase these tokens from the vendor of their choice. Hardware OATH tokens are available for users with a Microsoft Entra ID P1 or P2 license.
OATH TOTP hardware tokens typically come with a secret key, or seed, pre-programmed in the token. These keys must be input into Microsoft Entra ID as described in the following steps. Secret keys are limited to 128 characters, which may not be compatible with all tokens. The secret key can only contain the characters a-z or A-Z and digits 2-7, and must be encoded in Base32.
Once tokens are acquired they must be uploaded in a comma-separated values (CSV) file format including the UPN, serial number, secret key, time interval, manufacturer, and model, as shown in the following example:
Once properly formatted as a CSV file, a Global Administrator can then sign in to the Microsoft Entra admin center, navigate to Protection > Multifactor authentication > OATH tokens, and upload the resulting CSV file.
Once any errors have been addressed, the administrator then can activate each key by selecting Activate for the token and entering the OTP displayed on the token. You can activate a maximum of 200 OATH tokens every 5 minutes.
Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Microsoft Authenticator app, configured for use at any time. Hardware OATH tokens cannot be assigned to guest users in the resource tenant.
Users can manage and add OATH token registrations by accessing or by selecting Security info from My Account. Specific icons are used to differentiate whether the OATH token registration is hardware or software based.
If you do not have internet access on your mobile device, you will instead be shown an 8 digit code that needs to be entered to complete the enrolment.Enter this code in the Check Code input shown above and click submit. You will be prompted to enter a passcode from your soft token. If you have more that one token set up, the token you need is called SecurEnvoy Partner Portal
If you do not receive a push notification, you can manually check for a login request by pressing on the arrow on the right side of the token and pressing Push Code.This will talk to the SecurEnvoy server and check for any pending login requests.
If your mobile device is not configured for push notifications or the push timeout expired, you will need to enter the 6 digit passcode instead. Look for a token named SecurEnvoy Partner Portal in your soft token app.
CA Strong Authentication, from CA Inc., is a multifactor authentication product that adds support for additional credentials -- including using biometrics and smartphones -- to standard username/password logins for a variety of servers and services, including Active Directory, Salesforce and the Outlook web app. The product helps enterprises deploy and manage a number of authentication methods, including passwords, knowledge-based authentication, as well as two-factor software tokens and hardware credentials.
Interoute MFA, a cloud-based service from Interoute Communications Ltd., enables organizations to replace user-generated passwords with one-time codes generated by hardware or software-based tokens. This software offers strong authentication to help enterprises protect assets, validate authorized users and ensure regulatory compliance.
The Okta Adaptive MFA product supports push-based and soft token authentication. Through a partnership with Yubico, users also have the option of hard token authentication with YubiKeys. Some users say it can be relatively pricey when adding features.
PingID is a multifactor authentication tool from Ping Identity Corp. delivered through the PingOne platform. PingID provides multifactor authentication for cloud-based applications, on-premises applications, VPNs, Windows Server, and RDP and Secure Shell. PingOne also hosts an admin console that manages the software via the PingID service.
RSA Authentication Manager, from RSA Security LLC, is the platform behind the RSA SecurID security token product. RSA Authentication Manager offers multifactor authentication as a virtual or hardware appliance. An enterprise can also mix and match within the same implementation.
The software enables RSA SecurID administrators to centrally manage authentication methods, user profiles, applications and agents across multiple physical sites. RSA Authentication Manager also verifies authentication requests and centrally administers enterprises' authentication policies for their end users.
The self-service console aims to address the most time-consuming and expensive tasks associated with managing an enterprise authentication tool -- i.e., users can change their own PIN codes, request replacement tokens, request emergency access and troubleshoot issues without directly contacting the help desk.
SecurAccess MFA from SecurEnvoy Ltd. offers token-free multifactor authentication for VPN, SSL, Remote Desktop, Wi-Fi, web portal and laptop encryption. SecurAccess is available for implementation for on-premises, as part of a managed service or in the cloud. Small, medium and enterprise organizations across every vertical can utilize the software.
dca57bae1f