AuthAnvil SoftTokens turn your Windows Mobile, Windows Phone, RIM Blackberry, Apple iPhone, Android device, or YubiKey into a powerful standalone two-factor authentication token, capable of generating dynamic one-time passwords that will let you log into systems and services protected by AuthAnvil Two Factor Auth. For users who only need to enforce AuthAnvil Two Factor Auth authentication on remote systems, we also offer a Desktop SoftToken for Windows.
Smartphone-based SoftTokens do NOT use the functionality of the phone like most SMS or text-based solutions to work. In other words, the phone doesn’t have to actually have service to function. However, during initial deployment the device will need to have some sort of Internet connection (even if through a computer cradle) to allow for over-the-air (OTA) deployment of the SoftToken to the phone.
To use an AuthAnvil SoftToken, you will require:
- AuthAnvil Two Factor Auth v3.0 or higher; and
- A license to an AuthAnvil SoftToken; and
- Windows Mobile 5.0 or higher; or
- Windows Phone 7 or higher; or
- RIM Blackberry OS 4.2.1 or higher; or
- Apple iPhone OS 6.0 or higher; or
- Android OS 1.6 or higher; or
- YubiKey with firmware 2.1 or later; or
- Windows Vista or higher with the .NET Framework 3.5 or higher.
You can access your AuthAnvil SoftToken licenses in the Customer Portal.
Before you begin
Unlike AuthAnvil Two Factor Auth keyfob tokens, the steps to deploy and manage SoftTokens is slightly different. The main reason for this is to ensure the integrity and security of the SoftTokens, since it would be possible to have more than one device to otherwise produce the same one-time passwords (OTPs). The main things to consider include:
- For new users, SoftTokens are deployed using self-enrollment, and cannot be manually assigned.
- Once a SoftToken is issued to a device, it cannot be reissued unless you take special measures in the Customer Portal to reset them. (See Appendix A)
- SoftTokens are NOT portable across devices. Once issued, if you wish to move a SoftToken to another device you MUST destroy the keys on the old device and reset the token before proceeding on re-issuing the same keys to a new device.
To help with this please see this section for links to the appropriate device App Store.
To use AuthAnvil SoftTokens, you must first ensure you have AuthAnvil Two Factor Auth v3.0 or later installed. You then need to use the AuthAnvil Configuration Wizard and import the token import file that was emailed to you when you purchased your SoftTokens in the Scorpion Software Online Store.
Once that is done, you can then issue SoftTokens.
Note for AuthAnvil 3.0 users: If an account already exists in AuthAnvil Two Factor Auth and you wish to convert them from using a hardware keyfob token to a SoftToken, you will need to delete the account and re-add it. Don’t forget that when you do this, you will need to also re-add the account to any Grouped Users they may have been a member of.
Warning: If you are deleting an account that is a Site Admin for AuthAnvil Two Factor Auth, make sure you have access to the AuthAnvil Configuration Wizard and know the master administrator password so you can enable their admin access once re-added.
In version 3.5 and later, a user can be converted from a hardware token user into a SoftToken user using the AuthAnvil Manager. See the section “Converting a hardware token user into a SoftToken user” later in this document.
Preparing Your Mobile Device for a SoftToken
Simply by using your phone’s mobile web browser to this section, you can get access to the AuthAnvil SoftToken software for your device. By determining what type of device you are using, the portal will send you to the correct location to download the software for your device.
A few things to consider include
- Apple iPhone or iPod Touch devices will need to download the software from the iTunes Store. It is a FREE download and you will not be charged in iTunes.
- Windows Phone 7 devices will need to download the software from the Zune Store. It is a FREE download and you will not be charged.
- Depending on the manufacturer and carrier, Android users may need to download the software from the Android Marketplace. It is a FREE download and you will not be charged.
- Older Blackberry and Windows Mobile devices may not, by default, trust the SSL certificate as the root certificate authorities are not up to date. If this concerns you, you may wish to update your phone before installing the AuthAnvil SoftToken.
- Blackberry devices MUST have their APN configured. Failing to do this will not allow activation over the Internet to occur. If you are unsure, please contact your Blackberry administrator.
- Depending on the configuration policy on your Blackberry device, you may be prompted several times during installation and activation, including when:
- You wish to download the software and the device doesn’t trust the certificate.
- When attempting an activation the software wishes to open a secure HTTPS channel to the activation server.
- When you activate the device, you are prompted that the software wishes to access information about the device. You do NOT require a data plan to download these files. You can use your Internet connected computer through your typical dock/cradle to access the portal to download and activate your device.
Mass deployment through Exchange or BES is not covered in this document. If you wish to deploy using that method, please contact a Microsoft or RIM mobile professional directly for assistance.
Note for BES Users: As of this writing, there is an issue with the way that Blackberries connected to BES 4.1 SP7 or later and BES Express 5.0 servers handle SSL certificates, causing them to be unable to communicate with the SoftToken Provisioning Server to activate their tokens. RIM has published a workaround for this under KB 20833: “On the BlackBerry smartphone, select Options>Security Options>Advanced Security Options>TLS and change the TLS Default from Proxy to Handheld. This will allow the BlackBerry smartphone to parse the certificate directly, which does not have the problem with the Subject Alternative Name.”
Preparing Your Computer for a SoftToken
Simply by using your web browser to visit the AuthAnvil SoftToken Portal at https://customer.scorpionsoft.com/gettoken/, you can get access to the AuthAnvil SoftToken software.
A few things to consider include
- Desktop SoftTokens are only supported on Windows Vista or later.
- Desktop SoftTokens require the .NET Framework 3.5 or later, which is available through Windows Update, or directly from the MSDN Download site.
Preparing Your YubiKey for a SoftToken
Simply by using your web browser to visit the AuthAnvil SoftToken Portal at https://customer.scorpionsoft.com/gettoken/, you can get access to the AuthAnvil SoftToken Yubikey Programmer software.
A few things to consider include:
- The YubiKey programmer is only supported on Windows Vista or later.
- The YubiKey programmer requires the .NET Framework 3.5 or later, which is available through Windows Update, or directly from the MSDN Download site.
- Yubikeys are only supported in AuthAnvil Two Factor Auth 4.0 and later
- AuthAnvil SoftTokens are only supported on YubiKeys with firmware 2.1 and later.
To program a YubiKey, simply plug in your YubiKey, run the token programmer, put in the Serial number and Activation Pin from your enrollment email and click “Activate”. The programmer will erase the YubiKey’s current settings, program it as an AuthAnvil SoftToken.
Using your YubiKey to store a Security Key
If you’re using Version 188.8.131.52 or later of the AuthAnvil SoftToken YubiKey Programmer, you can use your YubiKey to store a 16 digit long security key that you can use with other applications, such as TrueCrypt or BitLocker. By default, when you program a YubiKey with an AuthAnvil SoftToken, the YubiKey’s second slot is used to store the token’s 9 digit serial number, followed by a random 7 digit value to make up this security key.
By default, this will be reset to the 9 digit serial number + the 7 digit random value every time you program the YubiKey, but this behavior can be changed by setting a registry key.NOTE: The usual warnings about editing the registry apply.
Create a DWORD registry key at HKEY_CURRENT_USER\Software\Scorpion Software\AuthAnvil SoftToken YubiKey Programmer\Slot2Behaviour. The possible values are
- 0 = Default Behavior
- 1 = Generate a fully random 16 digit value. The serial number will not be included. Make sure to make a note of it somewhere else.
- 2 = Don’t overwrite slot 2 at all. This will allow you to keep whatever value you had previously programmed in there.
For safekeeping, this key should also be kept in the AuthAnvil Password Server. If the Yubikey is lost, stolen or destroyed, the key can still be recovered so that you can access the protected information.
Configuring AuthAnvil Two Factor Auth Users to use SoftTokens (AuthAnvil Two Factor Auth 5.0 and later)
When adding users using the AuthAnvil Two Factor Auth Manager individually, you can simply select to use software token self enrollment:
When using ADUS to mass import users from Active Directory, simply add users to the Software Tokens group that you have defined there:
Converting a hardware token user into a SoftToken user (AuthAnvil Two Factor Auth 5.0 and Later)
If a user wants to convert from using a hardware token to using a software token, this is now possible in AuthAnvil version 3.5 and later. In order to do this successfully, the user must have a smartphone capable of using a SoftToken, and there must be enough SoftToken licenses available on the server. (Visit the Customer Portal if you need to purchase more SoftToken licenses.)
- Log into your AuthAnvil Manager (http(s)://<YourServer>/AuthAnvil/Manager)
- Click on the users tab, and then the username of the user that you wish to manage.
- Hover over the “Actions” menu and click “Unassign Token”.
- Click “Unassign Token” in the confirm dialog that pops up.
- Click on the “Token Information” Panel and click “Automatically assign a SoftToken to this user.”
- Click “Save Changes”. The AuthAnvil Manager will send out a new enrollment email to the user with their serial number and PIN, and the user can then go and activate their token through the regular activation process.