Summary
This document covers how FEITIAN provides seed (share secret) for our OTP products.
Context
OTP products are programmed with a cryptographic ‘seed’ at manufacturing time. As part of OATH OTP standard, the seed is required by the IdP to properly enroll and assign the OTP token to the actual end-user (to use for 2FA) – this typically involving the IT admin uploading the serial and seed to the IdP’s admin console to enroll/activate the token, then assign to user to be used as 2FA. More in-depth explanation is available in this blogpost.
Process Overview
- Timing
- The seed delivery process takes place the day after order is shipped.
- The seed delivery process takes place the day after order is shipped.
- The Seed file
- Format: The seed file contains the purchased OTP product’s serial number and the seed value, typically space-delimited, not comma-separated (to convert to CSV, you could use simple tools, such as Google Sheets to upload and re-down as CSV file)
- Encoding: the seed value is essentially a random string and it can be presented in different encoding required by different IdPs. E.g. Azure AD requires base32, AuthPoint works with Watchguard format (pskc + AES128 key), while most other IdP works with Hexadecimal. We suggest to add a note to your order to specify the requirement for your IdP, or we will provide the following by default:
- For TOTP (time-based) type tokens – base32
- For HOTP (event-based) type tokens – hexadecimal.
- Security: The seed file will be password encrypted in a compressed zip file, renamed to be a pdf file (as a workaround to avoid being blocked by some common email/IT policies). Some systems may not show the .pdf file extension, so to rename it, this setting needs to be updated to reveal file extensions.
- We also support encrypting seed files with the customer’s PGP public key, please specify this on the order if desired.
- We also support encrypting seed files with the customer’s PGP public key, please specify this on the order if desired.
- Format: The seed file contains the purchased OTP product’s serial number and the seed value, typically space-delimited, not comma-separated (to convert to CSV, you could use simple tools, such as Google Sheets to upload and re-down as CSV file)
- Delivery
- We will send two emails to the technical contact listed on the order. Please note that this will be the only authorized person for us to provide seed files. If additional staff/email addresses are authorized to handle the seed file, please specify this on your order.
- Email #1 is the instruction on how to rename/decrypt the seed file.
- Email #2 is only the password to decrypt the file in Email #1.
- We will send two emails to the technical contact listed on the order. Please note that this will be the only authorized person for us to provide seed files. If additional staff/email addresses are authorized to handle the seed file, please specify this on your order.
Once you receive the seed file, you can then follow your IdP’s documentation to format the seed file before uploading to the IdP’s admin backend. To give a few examples here:
- Microsoft Azure AD
- Duo
- Ping Identity
- Okta (required to use Okta’s Factors API)
Getting Support
Seed is sensitive security information, so we handle this very carefully. We are happy to support you if for any reason you cannot locate the seed file after the initial seed delivery, but you will be required to provide multiple pieces of information to authenticate yourself as the rightful owner of the OTP token:
- the OTP token’s serial number;
- the order information of the token;
- (optional, but can expedite the process if presented) cc’ing the authorized technical contact, if not yourself
Any questions please reach out to seed@ftsafe.us for support!
