FEITIAN OTP Seed Process

Wed 16 Aug 2023
Home 9 Knowledge Base 9 FEITIAN OTP Seed Process


This document covers how FEITIAN provides seed (share secret) for our OTP products.


OTP products are programmed with a cryptographic ‘seed’ at manufacturing time.   As part of OATH OTP standard, the seed is required by the IdP to properly enroll and assign the OTP token to the actual end-user (to use for 2FA) – this typically involving the IT admin uploading the serial and seed to the IdP’s admin console to enroll/activate the token, then assign to user to be used as 2FA.   More in-depth explanation is available in this blogpost.

Process Overview

  1. Timing
    1. The seed delivery process takes place the day after order is shipped.
  2. The Seed file
    1. Format: The seed file contains the purchased OTP product’s serial number and the seed value, typically space-delimited, not comma-separated (to convert to CSV, you could use simple tools, such as Google Sheets to upload and re-down as CSV file)
    2. Encoding: the seed value is essentially a random string and it can be presented in different encoding required by different IdPs.  E.g. Azure AD requires base32, AuthPoint works with Watchguard format (pskc + AES128 key), while most other IdP works with Hexadecimal.  We suggest to add a note to your order to specify the requirement for your IdP, or we will provide the following by default:
      • For TOTP (time-based) type tokens – base32
      • For HOTP (event-based) type tokens – hexadecimal.
    3. Security: The seed file will be password encrypted in a compressed zip file, renamed to be a pdf file (as a workaround to avoid being blocked by some common email/IT policies).  Some systems may not show the .pdf file extension, so to rename it, this setting needs to be updated to reveal file extensions.
      • We also support encrypting seed files with the customer’s PGP public key, please specify this on the order if desired.
  3. Delivery
    1. We will send two emails to the technical contact listed on the order.  Please note that this will be the only authorized person for us to provide seed files.  If additional staff/email addresses are authorized to handle the seed file, please specify this on your order. 
    2. Email #1 is the instruction on how to rename/decrypt the seed file.
    3. Email #2 is only the password to decrypt the file in Email #1.

Once you receive the seed file, you can then follow your IdP’s documentation to format the seed file before uploading to the IdP’s admin backend.  To give a few examples here:

Getting Support

Seed is sensitive security information, so we handle this very carefully.  We are happy to support you if for any reason you cannot locate the seed file after the initial seed delivery, but you will be required to provide multiple pieces of information to authenticate yourself as the rightful owner of the OTP token:

  1. the OTP token’s serial number;
  2. the order information of the token; 
  3. (optional, but can expedite the process if presented) cc’ing the authorized technical contact, if not yourself

Any questions please reach out to seed@ftsafe.us for support!

Related Posts

Programming NFC OTP Tokens and Cards on Windows OS

FEITIAN's NFC OTP Token can be programmed to work as offline replacement for the mobile ...
Achieving FedRAMP Compliance with FEITIAN Technologies

Achieving FedRAMP Compliance with FEITIAN Technologies

The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide ...

How to set up FEITIAN OTP products with [x service]

FEITIAN’s OTP products follows the open OATH standard. To properly set it up with the identity ...
Enterprise Security

Stay in the know

Join our community of security-conscious individuals and organizations who prioritize safeguarding their sensitive data. Stay informed about the latest advancements in cyber-physical technology and discover how FEITIAN can empower you to take control of your digital security.

"*" indicates required fields

Full Name*