Using programmable TOTP hardware token with Salesforce MFA
If your company requires multifactor authentication (MFA) for increased security when you log in or access connected apps, reports, or dashboards, use a code from the app. If MFA is turned on, and you haven’t set up a verification method yet, you’re prompted to register the next time you log in to Salesforce.As our programmable hardware tokens act as drop-in replacement of TOTP apps, you can enroll a hardware token to be used with Salesforce MFA.
Requirements
- A Salesforce account (regular, no admin rights needed)
- A Token2 programmable token (the guide below shows C301i as an example)
- An iPhone or Android device with NFC enabled (alternatively, Windows or Python with special NFC hardware can be used as well) - this is needed for the enrollment only, subsequent logins will only require the hardware token
1. Install the provisioning tool
Download and install the supported provisioning app for your device type. Refer to this page to find the correct app for your token and the operating system. For our example, we selected the C301i as the token model and iPhone as the platform. If you use another token model or platform, choose the correct ones from the list.
Enroll the hardware token
- Click on your user avatar (right top corner) and select Settings
- From the user settings page, click on 'Advanced User Details', then on the right window, find 'App Registration: One-Time Password Authenticator' and click on 'Connect'
- For security purposes, you’re prompted to log in to your account
- On the next window, Salesforce will show you a QR code similar to the one shown below
- Burn the hardware token using the instructions below
- Launch the NFC burner app on your Android device and hit the "QR" button
- Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear
- Turn on the token and touch it with your phone (make sure it is overlapped by the NFC antenna) and click "Connect" on the app
- Upon successful connection, click the "Burn seed" button. If NFC link is established and the code is correctly scanned, you should see a status window showing "Burning..." and eventually (in a second or two), "burn seed successful.." message in the log window
Follow the steps below to perform setting the seed for your token using Windows App.
1. Launch the exe file, then select the NFC device from the drop-down list and click on "Connect". You should see a message box notifying about a successful operation.
2. Enter or paste the seed in base32 format, or use one of the QR scanning methods to populate this field
3. Place the token onto the NFC module and wait for its serial number to appear.
4. Click on "Burn seed" button. A log entry with the serial number and "Successful operation" text will be logged in the log window.
- Launch the NFC burner app on your iPhone device and hit the "scan QR" button
- Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear and the seed field will be populated with the hex value of the seed
- Touch the Burn button, then turn on the token and touch the top of your iPhone with the token
- Check the results of the process in the Results log field
Please note that the procedures above are shown only as examples and are valid to single profile TOTP tokens only. The procedure for multi-profile and USB-programmable devices are similar but slightly different - Launch the NFC burner app on your Android device and hit the "QR" button
- In the Salesforce window, enter the 6 digit OTP shown on the token and click Connect
- If the process was done correctly and the code is accepted, you will be redirected to the main page
Now the account ready to use this identity verification method. When Salesforce prompts you for your OTP code generated by the Authenticator app, just press the button on your hardware token and enter the 6 digits generated by the device.
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!