Flexible Identity Multi-Factor Authentication OTP software tokens guide version 1.0
Publication History Date Description Revision 2014.02.07 initial release 1.0 Copyright Orange Business Services 2 of 96
welcome Your company has chosen Orange Business Services Flexible Identity Multi-Factor Authentication service (aka FI-MFA) to help you protect your on-line identity and the networks, applications and data you use from unauthorized access. The information in this guide applies to the following OTP software tokens: MobilePASS MP (aka Multi-Platform) The information in this guide is intended for: end-users: people in your company that will use the FI-MFA service. operators: people in your company that will manage your FI-MFA end-users. administrators: people in your company that will manage the FI-MFA service. If you are already comfortable with FI-MFA terminologies and OTP software tokens, you can click one of the following icons for direct access to instructions related to your device: MobilePASS Windows Desktop Mac OS X ios Android BlackBerry Not yet supported Windows Phone Not yet supported MP Not yet described Not yet described Copyright Orange Business Services 3 of 96
contents overview... 10 what is an OTP software token?... 10 why use a OTP token?... 10 how does a OTP token protect me?... 10 what additional security features does my OTP token offer?... 10 what is the difference between a token code and an OTP?... 11 what are the characteristics of my OTP token?... 11 operation modes... 11 synchronization methods... 11 what is self-enrollment?... 12 how do I self-enroll my OTP token?... 12 how long will my OTP token continue to operate?... 12 what if I have not received the self-enrollment email notification?... 12 what is the Self-Service Portal?... 13 why I can t logon using my OTP token?... 14 I entered an incorrect OTP... 14 my user account is locked... 14 my OTP token is out of synchronization... 14 my OTP token has been suspended or revoked... 14 what are my responsibilities?... 14 where should I store my OTP token?... 14 what if I forget my OTP token?... 14 what if I lose my OTP token?... 15 how should I protect my PIN?... 15 how can I change my PIN?... 15 what if I forget my PIN?... 15 MobilePASS for Windows Desktop... 16 introduction... 16 terminologies... 16 Copyright Orange Business Services 4 of 96
supported platforms... 16 enrolling MobilePASS token for Windows Desktop... 16 authenticating with a MobilePASS token... 20 QUICKLog operation mode... 20 challenge-response operation mode... 22 MobilePASS application features... 24 viewing MobilePASS application information... 24 viewing MobilePASS token information... 24 renaming a MobilePASS token... 24 resetting a MobilePass token PIN (token-side only)... 25 deleting a MobilePass token... 25 updating the MobilePASS application... 25 uninstalling the MobilePASS application... 25 Self-Service Portal features... 26 MobilePASS for ios... 27 introduction... 27 terminologies... 27 supported platforms... 27 enrolling MobilePASS token for ios... 27 authenticating with a MobilePASS token... 30 QUICKLog operation mode... 30 challenge-response operation mode... 31 MobilePASS application features... 32 viewing MobilePASS application information... 32 viewing MobilePASS token information... 32 renaming a MobilePASS token... 33 resetting a MobilePass token PIN (token-side only)... 33 deleting a MobilePass token... 33 updating the MobilePASS application... 34 uninstalling the MobilePASS application... 34 Self-Service Portal features... 34 Copyright Orange Business Services 5 of 96
MobilePASS for Android... 35 introduction... 35 terminologies... 35 supported platforms... 35 enrolling MobilePASS token for Android... 35 authenticating with a MobilePASS Token... 38 QUICKLog operation mode... 38 challenge-response operation mode... 39 MobilePASS application features... 40 viewing MobilePASS application information... 40 viewing MobilePASS token information... 40 renaming a MobilePASS token... 41 resetting a MobilePass token PIN (token-side only)... 41 deleting a MobilePass token... 41 updating the MobilePASS application... 42 uninstalling the MobilePASS application... 42 Self-Service Portal features... 42 MobilePASS for BlackBerry... 43 introduction... 43 terminologies... 43 supported platforms... 43 installing MobilePASS application... 43 enrolling MobilePASS token for BlackBerry... 44 authenticating with a MobilePASS token... 46 QuickLog operation mode... 46 challenge-response operation mode... 47 MobilePASS application features... 48 viewing MobilePASS application information... 48 viewing MobilePASS token information... 48 renaming a MobilePASS token... 49 resetting a MobilePass token PIN (token-side only)... 49 Copyright Orange Business Services 6 of 96
deleting a MobilePass token... 49 updating the MobilePASS application... 51 uninstalling the MobilePASS application... 51 Self-Service Portal features... 51 Self-Service Portal for MobilePASS... 52 accessing the Self-Service Portal Web site... 52 resynchronizing a MobilePASS token... 52 resetting a MobilePass token PIN (server-side only)... 53 sending temporary sign-in password by e-mail/sms... 53 MP for Windows Desktop... 54 introduction... 54 terminologies... 54 supported platforms... 54 enrolling MP token for Windows Desktop... 54 optimizing Internet Explorer Web browser... 54 starting enrollment process... 55 authenticating with a MP token... 59 QUICKLog operation mode... 59 challenge-response operation mode... 61 Token application features... 62 viewing Token application information... 62 renaming a MP token... 62 resetting a MP token PIN (token-side only)... 62 unlocking a MP token (token-side PIN)... 63 updating the Token application... 63 uninstalling the Token application... 63 Token Manager application features... 64 viewing MP token information... 64 deleting a MP token... 64 Updating/uninstalling the Token application... 64 Self-Service Portal features... 65 Copyright Orange Business Services 7 of 96
MP for Mac OS X... 66 introduction... 66 terminologies... 66 supported platforms... 66 enrolling MP token for Mac OS X... 66 authenticating with a MP token... 71 QUICKLog operation mode... 71 challenge-response operation mode... 72 MP-1 application features... 73 viewing MP-1 application information... 73 viewing MP token information... 73 renaming a MP token... 74 resetting a MP token PIN (token-side only)... 74 deleting a MP token... 75 updating the MP-1 application... 75 uninstalling the MP-1 application... 75 Self-Service Portal features... 75 MP for ios... 76 introduction... 76 terminologies... 76 supported platforms... 76 enrolling MP token for ios... 76 authenticating with a MP token... 79 QUICKLog operation mode... 79 challenge-response operation mode... 81 MP-1 application features... 82 viewing MP-1 application information... 82 viewing MP token information... 82 renaming a MP token... 83 resetting a MP token PIN (token-side only)... 83 deleting a MP token... 84 Copyright Orange Business Services 8 of 96
updating the MP-1 application... 84 uninstalling the MP-1 application... 84 Self-Service Portal features... 84 MP for Android... 85 introduction... 85 terminologies... 85 supported platforms... 85 enrolling MP token for Android... 85 authenticating with a MP token... 89 QUICKLog operation mode... 89 challenge-response operation mode... 91 MP-1 application features... 92 viewing MP-1 application information... 92 viewing MP token information... 92 renaming a MP token... 93 resetting a MP token PIN (token-side only)... 93 deleting a MP token... 94 updating the MP-1 application... 94 uninstalling the MP-1 application... 94 Self-Service Portal features... 94 Self-Service Portal for MP... 95 accessing the Self-Service Portal Web site... 95 resynchronizing a MP token... 95 resetting a MP token PIN (server-side only)... 96 sending temporary sign-in password by e-mail/sms... 96 Copyright Orange Business Services 9 of 96
overview what is an OTP software token? An OTP software token: allows you to generate OTPs. is managed through a dedicated OTP application you have previously installed on your device. is usable only on the device upon which it was installed. The advantage of OTP software tokens is mass deployment without hardware distribution. In addition, OTP software tokens can be issued, revoked and reissued without restriction or the need to recover the OTP software token from the end-user. Multiple OTP software tokens can be installed on a single device. why use a OTP token? Until now, you have probably logged into your organization s resources with your user name and a fixed password. The problem is that passwords are easily compromised, putting your identity and the resources you access at risk. A OTP token allows you to generated and use One-Time Passwords (aka OTPs) each time you log into your organization s resources. As the name implies, an OTP can be used only one time. Each time you log in, you use your OTP token to generate a unique OTP. how does a OTP token protect me? Password theft is a common method that thieves and hackers use to steal identities and gain unauthorized access to networks and resources. Success depends on the stolen password being valid, in the same way that credit card theft relies on the card being usable until it is reported as stolen. Discovering the compromise is almost impossible until damage has been done. Using a OTP token solves this problem, because once you have logged in using an OTP, that password is no longer valid. Any attempt to log in by reusing the OTP will fail, and it will alert your network security professionals to a possible attack on your identity. what additional security features does my OTP token offer? Depending on your organization s policies: Copyright Orange Business Services 10 of 96
your OTP token may be protected against unauthorized use by a Security PIN (aka PIN) that is known only to you. Like a bank card, a thief not only needs access to your OTP token, but must know your PIN as well. Do not share your PIN with others. this PIN may be token-side (stored on your device) or server-side (stored on the FI-MFA server). what is the difference between a token code and an OTP? The OTP value depends on the PIN protection of your OTP token: no PIN-protection: in the OTP application installed on your device, you can directly access your OTP token, and then generate token codes that will act as OTPs. token-side PIN-protection: in the OTP application installed on your device, you have to enter the PIN that protects your OTP token before generating token codes that will act as OTPs. server-side PIN-protection: in the OTP application installed on your device, you can directly access your OTP token, and then generate token codes. Depending on your organization s policies, you need to enter your PIN either before or after the token code to form the OTP. server-side PIN protection is recommended because the PIN is not stored locally and can be reissued by your IT administrator in case of loss without reusing your OTP token too. what are the characteristics of my OTP token? The characteristics of your OTP token are defined by your organization and applied when your OTP token is initialized. operation modes Depending on your organization s policies, your OTP token may use one of the following operation modes: challenge-response: the system that requires your authentication provides a challenge and waits for a response in return (asynchronous mode). Key the challenge into your OTP token to get a token code that you will use as response. Please note that this mode is not supported by all systems that require a logon password. QUICKLog: it greatly simplifies your logon experience and strengthens security by eliminating the requirement to have you key a challenge into your OTP token to get a token code (synchronous mode). Moreover, it is supported by all systems that require a logon password. synchronization methods Synchronization is only relevant for QUICKLog operation mode. Depending on your organization s policies, your OTP token may use one of the following synchronization methods: Copyright Orange Business Services 11 of 96
event-based: the token code is generated each time you click the Generate token code button in the OTP application installed on your device. time-based: the token code changes at frequent intervals (token code lifetime depends on your organization s policies). For each logon, the server compares the token code you submitted with the expected token code. Occasionally you may generate a token code without using it, causing the token code to be ahead or out of synchronization with the server during the next logon. There is a secure mechanism through which the server and your OTP token can automatically resynchronize during logon. Two OTP window types are managed by the server (window sizes depend your organization s policies): inner OTP window: a token code found inside this window will be accepted and the server is updated to adjust for your OTP token drift. outer OTP window: handles situations where the token code is not found in the inner OTP window. If a token code is found in this window, you re prompted to provide the next token code in sequence to successfully authenticate. If the token code is not found in the outer OTP window: OTP is considered as invalid. you have to resynchronize your token. what is self-enrollment? Self-enrollment is a simple process during which you activate your OTP token. During the process, you may be required to enter or create a PIN. When you complete the self-enrollment process, you will be able to use your OTP token to generate token codes for login. how do I self-enroll my OTP token? The self-enrollment process begins when you receive your self-enrollment email notification. The email contains instructions and your enrollment URL. how long will my OTP token continue to operate? Your OTP token will be able to generate OTPs until it is revoked by your IT administrator. what if I have not received the self-enrollment email notification? If you have not received a self-enrollment email notification, please contact your IT administrator to arrange for a new email to be sent to you. Copyright Orange Business Services 12 of 96
what is the Self-Service Portal? The Self-Service Portal is a Web site created to empower you to perform simple authentication management functions (the range of available functions depends on your organization s policies) and in the process, reduce the workload and your reliance on the help desk. The self-enrollment email notification contains the URL to access your Self-Service Portal. Copyright Orange Business Services 13 of 96
why I can t logon using my OTP token? They may be several causes of failed login. I entered an incorrect OTP This is the most common cause. To avoid this, ensure that: Caps lock mode is disabled on your keyboard. you enter right characters and keystrokes. your OTP is correctly formed (in accordance with the PIN protection type of your OTP token). my user account is locked You exceeded the maximum number of consecutive failed logon attempts. You must wait the amount of time defined by your organization before your user account will unlock. my OTP token is out of synchronization There is no simple way on your side to check if your OTP token is out of synchronization. In doubt, you can resynchronize it from your Self-Service Portal (if the function is available) before contacting your IT administrator. my OTP token has been suspended or revoked Please contact your IT administrator. what are my responsibilities? Using your OTP token provides strong security, and simplifies your work efforts by reducing or eliminating the need to remember or periodically change passwords. As an additional measure, Orange recommends that you observe the following tips to ensure the highest level of security. where should I store my OTP token? You should keep your token separate from your computer. Do not leave it on your desk, or with your computer bag. Treat it as you would your wallet, purse, or credit cards, and keep it with you at all times. what if I forget my OTP token? Your OTP token is a primary security device designed to protect you and the resources you access. Keep it with your car keys or purse or other valuable items that you use on a regular basis to minimize the potential to forget it. If you do forget your OTP token, contact your IT administrator. Copyright Orange Business Services 14 of 96
what if I lose my OTP token? If you lose your token, report it immediately to your IT administrator: he will take the necessary actions to ensure the lost token does not present a security risk. Depending on your organization s policies, he will provide you with a temporary alternative for logging into the network until you receive a replacement token. how should I protect my PIN? If you have a PIN, protect it just as you would the PIN for your bank or credit card. Never share it with anybody, including people you trust. This includes your colleagues and systems administrators at your company and personnel who are, or claim to be representatives of Orange or a Partner of Orange. You should be extremely suspicious of anyone who ever tells you at they need to know your PIN, and you should report any such incident to your IT administrator immediately. Never write down your PIN. how can I change my PIN? If you wish to change your PIN, or if you are concerned that it has been compromised, use the Reset PIN function of your Self-Service Portal, or contact your IT administrator if this function was not enabled by your organization s policies. what if I forget my PIN? If you forget your PIN, use the Send sign-in password by e-mail/sms function of your Self- Service Portal or contact your IT administrator if this function was not enabled by your organization s policies. Copyright Orange Business Services 15 of 96
MobilePASS for Windows Desktop introduction MobilePASS for Windows Desktop users can generate OTPs directly on their Windows Desktop, and use them to authenticate to FI-MFA-protected applications and resources. terminologies In this section: MobilePASS token: refers to any MobilePASS OTP software token provided by FI-MFA. Passcode: replaces the token code term. MobilePASS application: refers to the OTP application you have to install on your Windows Desktop before managing your MobilePASS tokens. supported platforms The MobilePASS application works with Windows XP, Windows Vista, Windows 7 and Windows 8/8.1 enrolling MobilePASS token for Windows Desktop Step 1: you have or will receive a Self-enrollment email notification. Open it, click the selfenrollment Web site link (beginning with https://se.safenet-inc.com/...), and then switch to your Web browser to start the self-enrollment process. If the MobilePASS application is already installed on your Desktop, ignore steps for downloading and installing it, and then go to step 4. Copyright Orange Business Services 16 of 96
Step 2: click the Download MobilePASS Installer (.msi) link. The.msi file corresponding to your system (32 or 64 bits) is automatically proposed for download. Click the Save button, and then if necessary the Browse button to select a different destination folder. Step 3: double click the.msi file name to launch the InstallShield Wizard at the end of the downloading. Click the Next button, read the license agreement carefully, select the I accept the terms in the license agreement option, and then click the Next button. If necessary click the Change button to select a different destination folder, click the Next, button and then click the Install button. Copyright Orange Business Services 17 of 96
On completion of the installation process, click the Finish button to leave the InstallShield Wizard, and then switch to your Web browser. Step 4: click the Enroll your MobilePASS token link to and then switch to the new opened Launch Application window. Step 5: select the MobilePASS option, and then click the OK button, and then switch to the new launched MobilePASS application. Step 6: enter the new token name and click the Activate button. The activation string is automatically pasted, and the Automatic Enrollment process begins. Copyright Orange Business Services 18 of 96
If your MobilePASS token is PIN-protected, enter your PIN, click the Continue button, you are required to re-enter it for verification purposes, and then click the Continue button. If successful, the following page is displayed: Step 7: switch to your Web browser to close it. Your MobilePASS token is now active and able to generate OTPs. Copyright Orange Business Services 19 of 96
authenticating with a MobilePASS token QUICKLog operation mode You have the ability to authenticate with your MobilePASS token against any systems that require a logon password (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, click the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Click the Sign In button, and then the Sign in using your token button. Step 2: double-click the icon in your Windows desktop to launch the MobilePASS application, and then select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN). Copy the generated passcode to the clipboard. From the Service Portal Web, enter your User ID in the User ID field, paste the passcode from the clipboard in the OTP field (depending on your organization s policies, you may need to enter your PIN either before or after the passcode), and then click the OK button. Copyright Orange Business Services 20 of 96
Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 21 of 96
challenge-response operation mode You have the ability to authenticate with your MobilePASS token only against systems that support challenge-response operation mode (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, click the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Click the Sign In button, the Sign in using your token button, enter your User ID in the User ID field, click the OK button without entering any value in the OTP field, and then copy the displayed challenge to the clipboard. Step 2: double-click the icon in your Windows desktop to launch the MobilePASS application, and then select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN). Paste the challenge code from the clipboard in the Challenge Code field, click the Generate Passcode button, and then copy the generated passcode to the clipboard. From the Service Portal Web, paste the passcode from the clipboard in the OTP field, and then click the OK button. Copyright Orange Business Services 22 of 96
Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 23 of 96
MobilePASS application features Double-click the icon in your Windows desktop to launch the MobilePASS application. viewing MobilePASS application information From the homepage, click the icon to display the MobilePASS application information. viewing MobilePASS token information Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), and then click the icon to display the MobilePASS token information. renaming a MobilePASS token Copyright Orange Business Services 24 of 96
Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), and then click the icon. Enter the new token name, and then click the Continue button. resetting a MobilePass token PIN (token-side only) Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), and then click the icon. Enter your current PIN, click the Continue button, enter your new PIN, click the Continue button, you are required to re-enter it for verification purposes, and then click the Continue button. deleting a MobilePass token This option should only be used on instruction from your IT administrator. Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), and then click the icon. Click the Delete button to confirm. updating the MobilePASS application This option should only be used on instruction from your IT administrator. uninstalling the MobilePASS application This option should only be used on instruction from your IT administrator. Follow the Windows standard process to uninstall the MobilePASS Application. Copyright Orange Business Services 25 of 96
Self-Service Portal features Refer to the FI-MFA Service Portal for MobilePASS chapter (click here for direct access). Copyright Orange Business Services 26 of 96
MobilePASS for ios introduction MobilePASS ios users can generate OTPs directly on their ios devices, and use them to authenticate to FI-MFA-protected applications and resources. terminologies In this section: MobilePASS token: refers to any MobilePASS OTP software token provided by FI-MFA. Passcode: replaces the token code term. MobilePASS application: refers to the OTP application you have to install on your ios device before managing your MobilePASS tokens. supported platforms Web browser: Safari enrolling MobilePASS token for ios Step 1: you have or will receive a Self-enrollment email notification. Open it, tap the selfenrollment Web site link (beginning with https://se.safenet-inc.com/...), and then switch to your Web browser to start the self-enrollment process. If the MobilePASS Application is already installed on your ios device, ignore steps for downloading and installing it, and then go to step 4. Copyright Orange Business Services 27 of 96
Step 2: tap the icon to download the MobilePASS application from the Apple App store. Step 3: from the Apple App store, tap the icon. On completion of the installation process, leave the Apple App store, and then switch to your Web browser. Step 4: tap the Enroll your MobilePASS token link, and then switch to the new launched MobilePASS application. Step 5: enter the new token name and tap the Activate button. The activation string is automatically pasted, and the Automatic Enrollment process begins. Copyright Orange Business Services 28 of 96
If your MobilePASS token is PIN-protected, enter your PIN, and then you are required to reenter it for verification purposes. If successful, the following screen is displayed: Step 6: switch to your Web browser to close it. Your MobilePASS token is now active and able to generate OTPs. Copyright Orange Business Services 29 of 96
authenticating with a MobilePASS token QUICKLog operation mode You have the ability to authenticate with your MobilePASS token against any systems that require a logon password (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, tap the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Tap the Sign In button, and then the Sign in using your token button. Step 2: tap the icon in your ios Gallery to launch the MobilePASS application, and then select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN). Copy the generated passcode to the clipboard. From the Service Portal Web, enter your User ID in the User ID field, paste the passcode from the clipboard in the OTP field (depending on your organization s policies, you may need to enter your PIN either before or after the passcode), and then tap the OK button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 30 of 96
challenge-response operation mode You have the ability to authenticate with your MobilePASS token only against systems that support challenge-response operation mode (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, tap the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Tap the Sign In button, the Sign in using your token button, enter your User ID in the User ID field, tap the OK button without entering any value in the OTP field, and then copy the displayed challenge to the clipboard. Step 2: tap the icon in your ios Gallery to launch the MobilePASS application, and then select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN). Paste the challenge code from the clipboard in the Challenge Code field, and then copy the generated passcode to the clipboard. From the Service Portal Web, paste the passcode from the clipboard in the OTP field, and then tap the OK button. Copyright Orange Business Services 31 of 96
Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. MobilePASS application features Tap the icon in your ios Gallery to launch the MobilePASS application. viewing MobilePASS application information From the homepage, tap the icon to display the MobilePASS application information. viewing MobilePASS token information Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), tap the icon to access the menu options, and then the Token information option to display the MobilePASS token information. Copyright Orange Business Services 32 of 96
renaming a MobilePASS token Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), tap the icon to access the menu options, and then the Change Token Name option. Enter the new token name. resetting a MobilePass token PIN (token-side only) Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), tap the icon to access the menu options, and then the Change Token PIN option. Enter your current PIN, your new PIN, and then you are required to re-enter it for verification purposes. deleting a MobilePass token This option should only be used on instruction from your IT administrator. Copyright Orange Business Services 33 of 96
Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), tap the icon to access the menu options, and then the Delete Token option. Tap the Delete button to confirm. updating the MobilePASS application Updates are automatically managed by the Apple App store. uninstalling the MobilePASS application This option should only be used on instruction from your IT administrator. Follow the ios standard process to uninstall the MobilePASS application. Self-Service Portal features Refer to the FI-MFA Service Portal for MobilePASS chapter (click here for direct access). Copyright Orange Business Services 34 of 96
MobilePASS for Android introduction MobilePASS Android users can generate OTPs directly on their Android devices, and use them to authenticate to FI-MFA-protected applications and resources. terminologies In this section: MobilePASS token: refers to any MobilePASS OTP software token provided by FI-MFA. Passcode: replaces the token code term. MobilePASS application: refers to the OTP application you have to install on your Android device before managing your MobilePASS tokens. supported platforms Web browsers: native, Chrome, Firefox, Opera, Skyfire, and Dolphin. enrolling MobilePASS token for Android Step 1: you have or will receive a Self-enrollment email notification. Open it, tap the selfenrollment Web site link (beginning with https://se.safenet-inc.com/...), and then switch to your Web browser to start the self-enrollment process. If the MobilePASS Application is already installed on your Android device, ignore steps for downloading and installing it, and then go to step 4. Copyright Orange Business Services 35 of 96
Step 2: tap the icon to download the MobilePASS application from the Google Play store. Step 3: from the Google Play store, tap the INSTALL button, and then the ACCEPT button. On completion of the installation process, leave the Google Play store, and then switch to your Web browser. Step 4: tap the Enroll your MobilePASS token link, and then switch to the new launched MobilePASS application. Copyright Orange Business Services 36 of 96
Step 5: enter the new token name and tap the Activate button. The activation string is automatically pasted, and the Automatic Enrollment process begins. If your MobilePASS token is PIN-protected, tap the Continue button, you are required to reenter it for verification purposes, and then tap the Continue button. If successful, the following screen is displayed: Step 6: switch to your Web browser to close it. Your MobilePASS token is now active and able to generate OTPs. Copyright Orange Business Services 37 of 96
authenticating with a MobilePASS Token QUICKLog operation mode You have the ability to authenticate with your MobilePASS token against any systems that require a logon password (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, tap the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Tap the Sign In button, and then the Sign in using your token button. Step 2: tap the icon in your Android Gallery to launch the MobilePASS application, and then select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN). Press the generated passcode until the Copy Passcode button is displayed, and then tap it to copy the passcode to the clipboard. From the Service Portal Web, enter your User ID in the User ID field, paste the passcode from the clipboard in the OTP field (depending on your organization s policies, you may need to enter your PIN either before or after the passcode), and then tap the OK button. Copyright Orange Business Services 38 of 96
Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. challenge-response operation mode You have the ability to authenticate with your MobilePASS token only against systems that support challenge-response operation mode (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, tap the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Tap the Sign In button, the Sign in using your token button, enter your User ID in the User ID field, tap the OK button without entering any value in the OTP field, and then copy the displayed challenge to the clipboard. Step 2: tap the icon in your Android Gallery to launch the MobilePASS application, and then select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN). Paste the challenge code from the clipboard in the Challenge Code field, tap the Generate Passcode button, press the generated passcode until the Copy Passcode button is displayed, and then tap it to copy the passcode to the clipboard. Copyright Orange Business Services 39 of 96
From the Service Portal Web, paste the passcode from the clipboard in the OTP field, and then tap the OK button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. MobilePASS application features Tap the icon in your Android Gallery to launch the MobilePASS application. viewing MobilePASS application information From the homepage, tap the icon to display the MobilePASS application information. viewing MobilePASS token information Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), press the standard Menu button on your Android device, and then tap the icon to display the MobilePASS token information. Copyright Orange Business Services 40 of 96
renaming a MobilePASS token Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), press the standard Menu button on your Android device, and then tap the icon. Enter the new token name, and then tap the Continue button. resetting a MobilePass token PIN (token-side only) Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), press the standard Menu button on your Android device, and then tap the icon. Enter your current PIN, tap the Continue button, enter your new PIN, tap the Continue button, you are required to re-enter it for verification purposes, and then tap the Continue button. deleting a MobilePass token This option should only be used on instruction from your IT administrator. Copyright Orange Business Services 41 of 96
Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), and then tap the icon. Tap the Delete button to confirm. updating the MobilePASS application Updates are automatically managed by the Google Play store. uninstalling the MobilePASS application This option should only be used on instruction from your IT administrator. Follow the Android standard process to uninstall the MobilePASS application. Self-Service Portal features Refer to the FI-MFA Service Portal for MobilePASS chapter (click here for direct access). Copyright Orange Business Services 42 of 96
MobilePASS for BlackBerry introduction MobilePASS for BlackBerry users can generate OTPs directly on their BlackBerry devices, and use them to authenticate to FI-MFA-protected applications and resources. terminologies In this section: MobilePASS token: refers to any MobilePASS OTP software token provided by FI-MFA. Passcode: replaces the token code term. MobilePASS application: refers to the OTP application you have to install on your Windows Desktop before managing your MobilePASS tokens. supported platforms The MobilePASS application works with BlackBerry OS version 4.6 and higher. Web browser: Opera Mini, Bolt, UC, and Uzard Web. installing MobilePASS application MobilePASS for BlackBerry allows users to automatically activate and enroll their software tokens over Wi-Fi and wireless networks using the MobilePASS application. MobilePASS for BlackBerry software tokens can be deployed: Over-the-air OTA via the SafeNet-hosted server OTA via your own internally-hosted server (providing for version control) Via the BlackBerry Desktop Manager The BES policy configuration is not available when deploying with Desktop Manager. Via the BlackBerry Enterprise Server (BES) application push The Automatic Authentication feature is only available for BES deployments. The MobilePASS application is available at http://www2.safenet-inc.com/sas/getmp.html. The zipped file includes folders for OTA, Desktop and BES packages. The MobilePASS for BlackBerry zip consists of a combination of the following files: MobilePASS.cod MobilePASS.jad MobilePASS.alx. Copyright Orange Business Services 43 of 96
Files are combined based on how the software will be installed on the BlackBerry device. If installing OTA, the MobilePASS.cod file and the MobilePASS.jad file should be used. If installing via the Desktop Manager, the MobilePASS.cod file and the MobilePASS.alx file should be used. To distribute MobilePASS for BlackBerry, do the following: 1. Determine how BlackBerry device users will download the MobilePASS application to their device. 2. Configure the appropriate files and/or policies if users will automatically enroll with the automatic authentication feature on or off with their tokens. 3. Post the appropriate files to a location where users can access them, and then inform your MobilePASS for BlackBerry users that the software is available for downloading and installing. enrolling MobilePASS token for BlackBerry Step 1: you have or will receive a Self-enrollment email notification. Open it, click the selfenrollment Web site link (beginning with https://se.safenet-inc.com/...), and then switch to your Web browser to start the self-enrollment process. Step 2: copy the activation string, ensuring that you select the entire string. The last character = can be ignored during the copy operation. Step 3: click the new token name and tap the Activate button. The activation string is automatically pasted, and the Automatic Enrollment process begins. Copyright Orange Business Services 44 of 96
If your MobilePASS token is PIN-protected, enter your PIN, click the Continue button, you are required to re-enter it for verification purposes, and then click the Continue button. If successful, the following screen is displayed: Step 4: switch to your Web browser to close it. Your MobilePASS token is now active and able to generate OTPs. Copyright Orange Business Services 45 of 96
authenticating with a MobilePASS token QuickLog operation mode You have the ability to authenticate with your MobilePASS token against any systems that require a logon password (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, click the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Click the Sign In button, and then the Sign in using your token button. Step 2: click the icon visible on your BlackBerry device to launch the MobilePASS application, and then select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN). Copy the generated passcode to the clipboard. From the Service Portal Web, enter your User ID in the User ID field, paste the passcode from the clipboard in the OTP field (depending on your organization s policies, you may need to enter your PIN either before or after the passcode), and then click the OK button. Copyright Orange Business Services 46 of 96
Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. challenge-response operation mode You have the ability to authenticate with your MobilePASS token only against systems that support challenge-response operation mode (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, click the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Click the Sign In button, the Sign in using your token button, enter your User ID in the User ID field, click the OK button without entering any value in the OTP field, and then copy the displayed challenge to the clipboard. Step 2: click the icon visible on your BlackBerry device to launch the MobilePASS application, and then select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN). Paste the challenge code from the clipboard in the Challenge Code field, click the Generate Passcode button, and then copy the generated passcode to the clipboard. Copyright Orange Business Services 47 of 96
From the Service Portal Web, paste the passcode from the clipboard in the OTP field, and then click the OK button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. MobilePASS application features Click the icon visible on your BlackBerry device to launch the MobilePASS application. viewing MobilePASS application information Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), and then the Token Information option from the menu to display the MobilePASS application information. viewing MobilePASS token information Follow the same instructions as the MobilePASS application information. Copyright Orange Business Services 48 of 96
renaming a MobilePASS token Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), and then the Change Token Name option from the menu. Enter the new token name, and then tap the Continue button. resetting a MobilePass token PIN (token-side only) Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), and then the Change Token PIN option from the menu. Enter your current PIN, click the Continue button, enter your new PIN, click the Continue button, you are required to re-enter it for verification purposes, and then click the Continue button. deleting a MobilePass token This option should only be used on instruction from your IT administrator. Copyright Orange Business Services 49 of 96
Select your MobilePASS token (depending on your organization s policies, you may need to enter your PIN), and then the Delete Token option from the menu. Click the Delete button to confirm. Copyright Orange Business Services 50 of 96
updating the MobilePASS application This option should only be used on instruction from your IT administrator. uninstalling the MobilePASS application This option should only be used on instruction from your IT administrator. Self-Service Portal features Refer to the FI-MFA Service Portal for MobilePASS chapter (click here for direct access). Copyright Orange Business Services 51 of 96
Self-Service Portal for MobilePASS accessing the Self-Service Portal Web site Open the Self-enrollment email notification you previously received, click the Self-Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. resynchronizing a MobilePASS token Step 1: from the Self-Service Portal homepage, click the Resync Token icon, enter your User ID in the User ID field, click the Next button, enter the serial number of your MobilePASS token in the Serial field (refer to the viewing MobilePASS token information chapter to retrieve the serial number), and then click the Next button. Step 2: select your MobilePASS token from your OTP application and generate the first token code. Step 3: enter this token code in the First Token Code field. Step 4: generate the second token code. Step 5: enter this token code in the Second Token Code field, and then click the OK button. Step 6: in case of success, the Token successfully synchronized. message is displayed. You can close your Web browser. Copyright Orange Business Services 52 of 96
resetting a MobilePass token PIN (server-side only) Step 1: from the Self-Service Portal homepage, click the Reset PIN button, the Sign in using your token button, and then authenticate against your Self-Service Portal. In case of success, the Create New PIN page is displayed. Step 2: enter your new PIN, you are required to re-enter it for verification purposes, and then click the OK button. Step 3: in case of success, the Your Security PIN has been successfully reset. message is displayed. Click the Sign-out button before closing your Web browser. sending temporary sign-in password by e-mail/sms This temporary sign-in password is valid during 10 minutes, only for authentication against the Self-Service Portal (useful to reset a forgotten PIN). Step 1: from the Self-Service Portal homepage, click the Sign In button, the Send Sign in password by e-mail or Send Sign in password by SMS, enter your User ID, and then click the Send button. Step 2: you have or will receive a Self-service Temporary Sign In Password email notification or SMS including your temporary sign-in password. Step 3: from the Self-Service Portal homepage, click the Sign In button, the Sign in using your token button, and then authenticate using your temporary sign-in password as OTP. Copyright Orange Business Services 53 of 96
MP for Windows Desktop introduction MP (aka Multi-Platform) for Windows Desktop users can generate OTPs directly on their Windows Desktop, and use them to authenticate to FI-MFA-protected applications and resources. terminologies In this section: MP token: refers to any MP OTP software token provided by FI-MFA. Token application: refers to the OTP application you have to install on your Windows Desktop before managing your MP tokens. An additional application called Token Manager offers some MP token management features. Both Token and Token Manager applications are installed thanks a third one called Software Tools. supported platforms The MP application works with Windows XP, Windows Vista, Windows 7 and Windows 8/8.1 enrolling MP token for Windows Desktop optimizing Internet Explorer Web browser If you are using Internet Explorer to enroll your MP token, the following optimization instructions will allow some enrollment steps be automated in a transparent manner. Copyright Orange Business Services 54 of 96
Open your Internet Explorer Web browser, select the Tools > Internet Options menu option from the command bar, the Security tab, the Trusted Sites zone, click the Sites button, enter the https://se.safenet-inc.com URL, and then click the Add button. The Self-enrollment Web site is now member of the Trusted sites security zone of your Internet Explorer Web browser. starting enrollment process Step 1: you have or will receive a Self-enrollment email notification. Open it, click the selfenrollment Web site link (beginning with https://se.safenet-inc.com/...), and then switch to your Web browser to start the self-enrollment process. Step 2: select the Install Locally option, and then click Next. If the MP application is already installed on your Desktop, ignore steps for downloading and installing it, and then go to step 4. In addition, if you re using an optimized Internet Explorer Web browser, steps for downloading, installing and activating the MP token file are automated in a transparent manner, and then go step 7. Copyright Orange Business Services 55 of 96
Click the Download Software Tools link. The.msi file corresponding to your system (32 or 64 bits) is automatically proposed for download. Click the Save button, and then if necessary the Browse button to select a different destination folder. Step 3: double click the.msi file name to launch the InstallShield Wizard at the end of the downloading. You must have administrator rights on your Windows Desktop to run the Install Shield Wizard. Click the Next button, read the license agreement carefully, select the I accept the terms in the license agreement option, and then click the Next button. Copyright Orange Business Services 56 of 96
If necessary click the Change button to select a different destination folder, click the Next button, and then click the Install button. On completion of the installation process, click the Finish button to close the InstallShield Wizard, switch to your Web browser and then click the Next button. Step 4: click the Download button, and then click the Next button. the alert message above may be displayed by not optimized Internet Explorer Web browser: close it each time it appears. Copyright Orange Business Services 57 of 96
Step 5: memorize the displayed PIN. Switch to the Opening MP Token pop-up window, select the Open with BlackShield Token (default) option, click the OK button, enter the PIN you memorized in the PIN required popup window, and then click the OK button. Step 6: from the Token application, select the MP token you re enrolling, click the Generate Token Code button. If your MP token is token-side PIN protected and depending on your organization s policies, you may be required to change the PIN on first use: enter your new PIN (you are required to re-enter it for verification purposes).click the button to copy the token code to the clipboard. Copyright Orange Business Services 58 of 96
From the self-enrollment Web site, paste the token code from the clipboard in the OTP field (depending on your organization s policies, you may need to memorize and enter the displayed PIN either before or after the token code), and then click the Next button. Step 7: if your MP token is server-side PIN-protected and depending on your organization s policies, you may be required to change the PIN on first use: enter your new PIN (you are required to re-enter it for verification purposes), and then click the Next button. If successful, the following page is displayed: Step 7: memorize your User ID before closing your Web browser. Your MP token is now active and able to generate OTPs. authenticating with a MP token QUICKLog operation mode You have the ability to authenticate with your MP token against any systems that require a logon password (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, click the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Click the Sign In button, and then the Sign in using your token button. Step 2: click the icon in your Windows taskbar to launch the Token application, select your MP Token (depending on your organization s policies, you may need to enter your PIN), and then click the Generate Token Code button. Copyright Orange Business Services 59 of 96
Click the button to copy the generated token code to the clipboard. From the Service Portal Web, enter your User ID in the User ID field, paste the passcode from the clipboard in the OTP field (depending on your organization s policies, you may need to enter your PIN either before or after the passcode), and then click the OK button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 60 of 96
challenge-response operation mode You have the ability to authenticate with your MP token only against systems that support challenge-response operation mode (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, click the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Click the Sign In button, the Sign in using your token button, enter your User ID in the User ID field, click the OK button without entering any value in the OTP field, and then copy the displayed challenge to the clipboard. Step 2: click the icon in your Windows taskbar to launch the Token application, select your MP Token (depending on your organization s policies, you may need to enter your PIN), paste the challenge code from the clipboard in the Challenge field, click the OK button, and then click the button to copy the generated token code to the clipboard. From the Service Portal Web, paste the passcode from the clipboard in the OTP field, and then click the OK button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 61 of 96
Token application features Click the icon in your Windows taskbar to launch the Token application. viewing Token application information Click the Help toolbar option, and then the About menu option. renaming a MP token Select your MP token, click the Tools toolbar option, and then the Rename Token menu option. Enter the new token name, and then click the OK button. resetting a MP token PIN (token-side only) Select your MP token, click the Tools toolbar option, and then the Change PIN menu option. Enter your current PIN, your new PIN (you are required to re-enter it for verification purposes), and then click the OK button. Copyright Orange Business Services 62 of 96
unlocking a MP token (token-side PIN) Depending on your organization s policies, your MP token can be unlocked without having to redeploy the MP token file to you. Select your MP token, click the Tools toolbar option, and then the Unlock Token menu option. Send the Unlock Challenge value to your IT administrator. Once your identity has been verified (to be certain that the person in possession of the MP token is the rightful owner), your IT administrator will send a Server Response Code to you. Enter it in the Server Response field and then click the OK button. Enter your new PIN (you are required to re-enter it for verification purposes), and then click the OK button in the Change PIN pop-up window. updating the Token application As part of the SAS Software Tools application, the Token application can t be updated separately. This option should only be used on instruction from your IT administrator. uninstalling the Token application As part of the SAS Software Tools application, the Token application can t be uninstalled separately. This option should only be used on instruction from your IT administrator. Follow the Windows standard process to uninstall the SAS Software Tools application. Copyright Orange Business Services 63 of 96
Token Manager application features Click the button in the Control Panel of your Windows Desktop to launch the Token Manager application. viewing MP token information Select your MP token, and then click the Token Information button (or click the Options toolbar option, and then the Token Info menu option). deleting a MP token This option should only be used on instruction from your IT administrator. Select your MP token, and then click the Remove Token button (or click the File toolbar option, and then the Remove Token menu option). Click the Yes button to confirm in the Remove Token pop-up window. Updating/uninstalling the Token application As part of the SAS Software Tools application, the Token application can t be updated/uninstall separately. This option should only be used on instruction from your IT administrator. Copyright Orange Business Services 64 of 96
Self-Service Portal features Refer to the FI-MFA Service Portal for MP chapter (click here for direct access). Copyright Orange Business Services 65 of 96
MP for Mac OS X introduction MP (aka Multi-Platform) for Mac OS X users can generate OTPs directly on their Mac computer, and use them to authenticate to FI-MFA-protected applications and resources. terminologies In this section: MP token: refers to any MP OTP software token provided by FI-MFA. OTP: replaces the token code term. MP-1 application: refers to the OTP application you have to install on your Mac computer before managing your MP tokens. supported platforms The MP application works with Mac OS X v10.7 Lion, and OS X v10.8 Mountain Lion. Web browser: Safari enrolling MP token for Mac OS X Step 1: you have or will receive a Self-enrollment email notification. Open it, click the selfenrollment Web site link (beginning with https://se.safenet-inc.com/...), and then switch to your Web browser to start the self-enrollment process. Step 2: select the Mac OS X Lion option, and then click the Next button. Switch to your mailbox after reading instructions. Copyright Orange Business Services 66 of 96
If the MP-1 application is already installed on your Mac computer, ignore steps for downloading and installing it, and then go to step 5. Step 3: you have or will receive a Token Installation for Mac OS X email notification. Open it, and then click the https://se.safenet-inc.com/selfenrollment/mp-1.pkg link (Step 1 in the email) to start downloading the MP-1 Application. Step 4: at the end of the download, click the down arrow in the upper right corner of your Safari browser to display the downloads, and then click the MP-1.pkg file to launch the MP- 1 Installer. Click the Continue button twice, the Read License button, read the software license agreement carefully, and then click the Agree button. Select the Disk where you want to install the MP-1 Application, click the Continue button, if necessary click the Change Install Location button to select a different installation type, and then click the click Install button. Copyright Orange Business Services 67 of 96
On completion of the installation process, click the Close button. Switch to the Token Installation for Mac OS X email. Step 5: copy the MP Token Import Code (by highlighting the text to include the first and last characters, up to and including the trailing BSID characters at the end of the code). Step 6: click the icon in the Dock to launch the MP-1 application. Copyright Orange Business Services 68 of 96
Step 7: click the + button, the Paste button (to paste the MP Token Import Code), and then the Continue button (to import the MP token). Memorize the displayed PIN and then click the Continue button. If your MP token is tokenside PIN-protected, you may be required to change the PIN on first use: enter the PIN you memorized, your new PIN (you are required to re-enter it for verification purposes) and then click the Continue button. Step 8: your MP token is now active and able to generate OTPs (MP token indicator is green). Copyright Orange Business Services 69 of 96
Switch to your Web browser and close it. Copyright Orange Business Services 70 of 96
authenticating with a MP token QUICKLog operation mode You have the ability to authenticate with your MP token against any systems that require a logon password (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, click the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Click the Sign In button, and then the Sign in using your token button. Step 2: click the icon in the Dock to launch the MP-1 application, and then select your MP Token (depending on your organization s policies, you may need to enter your PIN). Click the Copy button to copy the generated OTP to the clipboard. From the Service Portal Web, enter your User ID in the User ID field, paste the OTP from the clipboard in the OTP field (depending on your organization s policies, you may need to enter your PIN either before or after the OTP), and then click the OK button. Copyright Orange Business Services 71 of 96
Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. challenge-response operation mode You have the ability to authenticate with your MP token only against systems that support challenge-response operation mode (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, click the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Click the Sign In button, the Sign in using your token button, enter your User ID in the User ID field, click the OK button without entering any value in the OTP field, and then copy the displayed challenge to the clipboard. Step 2: click the icon in the Dock to launch the MP-1 application, and then select your MP Token (depending on your organization s policies, you may need to enter your PIN), paste the challenge from the clipboard to the Challenge Code field, click the Continue button, and then the Copy button to copy the generated OTP to the clipboard. From the Service Portal Web, paste the passcode from the clipboard in the OTP field, and then click the OK button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 72 of 96
MP-1 application features Click the icon in the Dock to launch the MP-1 application. viewing MP-1 application information Click the MP-1.app entry in the Applications directory. viewing MP token information The serial number displayed under your MP token name is the only MP token information available. Copyright Orange Business Services 73 of 96
renaming a MP token Select your MP token, click the Continue button, the Settings gear, and then the Rename menu option (depending on your organization s policies, you may need to enter your PIN). Enter the new token name and then click the Continue button. resetting a MP token PIN (token-side only) Select your MP token, click the Continue button, the Settings gear, and then the Change PIN menu option. Enter your current PIN, your new PIN (you are required to re-enter it for verification purposes), and then click the Continue button. Copyright Orange Business Services 74 of 96
deleting a MP token This option should only be used on instruction from your IT administrator. Select your MP token, click the - button, check the Remove Token box and then click the Continue button. updating the MP-1 application This option should only be used on instruction from your IT administrator. uninstalling the MP-1 application This option should only be used on instruction from your IT administrator. Follow the Mac OS X standard process to uninstall the MP-1 application. Self-Service Portal features Refer to the FI-MFA Service Portal for MP chapter (click here for direct access). Copyright Orange Business Services 75 of 96
MP for ios introduction MP (aka Multi-Platform) ios users can generate OTPs directly on their ios devices, and use them to authenticate to FI-MFA-protected applications and resources. terminologies In this section: MP token: refers to any MP OTP software token provided by FI-MFA. OTP: replaces the token code term. MP-1 application: refers to the OTP application you have to install on your ios device before managing your MP tokens. supported platforms Web browser: Safari enrolling MP token for ios Step 1: you have or will receive a Self-enrollment email notification. Open it, tap the selfenrollment Web site link (beginning with https://se.safenet-inc.com/...), and then switch to your Web browser to start the self-enrollment process. Step 2: select the iphone option, and then click the Next button. Switch to your mailbox after reading instructions. Copyright Orange Business Services 76 of 96
If the MP-1 application is already installed on your ios device, ignore steps for downloading and installing it, and then go to step 5. Step 3: you have or will receive a Token Installation for Mac OS X email notification. Open it, and then tap the icon (Step 1) to download the MP-1 Application. Step 4: from the Apple App store, tap the FREE button, and then the INSTALL APP button. Switch to the Over-The-Air (OTA) Installation mail. Step 5: tap the https://se.safenet-inc.com/... link (Step 2) and then switch to your Web browser to start the download of your MP token file (.7mp extension). Copyright Orange Business Services 77 of 96
Step 6: tap the Open in MP-1 button to install your MP token. If your MP token is token-side PIN protected and depending on your organization s policies, you may be required to change the PIN on first use: enter your new PIN, tap Done, you are required to re-enter it for verification purposes, and then tap Done. If successful, the following screen is displayed: Step 7: switch to your Web browser and close it. Your MP token is now active and able to generate OTPs Copyright Orange Business Services 78 of 96
authenticating with a MP token QUICKLog operation mode You have the ability to authenticate with your MP token against any systems that require a logon password (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, click the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Tap the Sign In button, and then the Sign in using your token button. Step 2: tap the icon in your ios Gallery to launch the MP-1 application, and then select your MP Token (depending on your organization s policies, you may need to enter your PIN). Copy the generated OTP to the clipboard. From the Service Portal Web, enter your User ID in the User ID field, paste the passcode from the clipboard in the OTP field (depending on your organization s policies, you may need to enter your PIN either before or after the passcode), and then tap the OK button. Copyright Orange Business Services 79 of 96
Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 80 of 96
challenge-response operation mode You have the ability to authenticate with your MP token only against systems that support challenge-response operation mode (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, tap the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Tap the Sign In button, the Sign in using your token button, enter your User ID in the User ID field, tap the OK button without entering any value in the OTP field, and then copy the displayed challenge to the clipboard. Step 2: tap the icon in your ios Gallery to launch the MP-1 application, and then select your MP Token (depending on your organization s policies, you may need to enter your PIN), paste the challenge code from the clipboard in the Challenge Code field, tap the Done button, and then copy the generated OTP to the clipboard. From the Service Portal Web, paste the passcode from the clipboard in the OTP field, and then tap the OK button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 81 of 96
MP-1 application features Tap the icon in your ios Gallery to launch the MP-1 application. viewing MP-1 application information Pad the icon in the bottom right corner. viewing MP token information Edit your MP Token, and then tap the Operation tile. Copyright Orange Business Services 82 of 96
renaming a MP token Edit your MP Token, tap the Rename Token tile, enter your new token name, and then tap the Done button. resetting a MP token PIN (token-side only) Edit your MP Token, tap the Change PIN tile, enter your new PIN, tap the Done button, reenter your new PIN (for verification purposes), and then tap the Done button again. Copyright Orange Business Services 83 of 96
deleting a MP token This option should only be used on instruction from your IT administrator. Tap the tile of the MP token you want to delete, the Edit button, the button, and the Delete Token button to confirm. icon, the Delete updating the MP-1 application Updates are automatically managed by the Apple App store. uninstalling the MP-1 application This option should only be used on instruction from your IT administrator. Follow the ios standard process to uninstall the MP-1 application. Self-Service Portal features Refer to the FI-MFA Service Portal for MP chapter (click here for direct access). Copyright Orange Business Services 84 of 96
MP for Android introduction MP (aka Multi-Platform) Android users can generate OTPs directly on their Android devices, and use them to authenticate to FI-MFA-protected applications and resources. terminologies In this section: MP token: refers to any MP OTP software token provided by FI-MFA. OTP: replaces the token code term. MP-1 application: refers to the OTP application you have to install on your Android device before managing your MP tokens. supported platforms Web browser: native, Chrome, Firefox, Opera, Skyfire, and Dolphin. enrolling MP token for Android Step 1: you have or will receive a Self-enrollment email notification. Open it, tap the selfenrollment Web site link (beginning with https://se.safenet-inc.com/...), and then switch to your Web browser to start the self-enrollment process. Step 2: select the Android option, and then click the Next button. Switch to your mailbox after reading instructions. Copyright Orange Business Services 85 of 96
If the MP-1 application is already installed on your Android device, ignore steps for downloading and installing it, and then go to step 5. Step 3: you have or will receive a Over-The-Air (OTA) Installation for Android Device email notification. Open it, and then tap the icon (Step 1) to download the MP-1 Application. Step 4: from the Google Play store, tap the INSTALL button, and the ACCEPT button (if App permissons are requested). On completion of the installation process, close the Google Play store (without opening the MP-1 application). Switch to the Over-The-Air (OTA) Installation mail. Copyright Orange Business Services 86 of 96
Step 5: select the code in the step 2 section (by highlighting the text to include the first and last characters, up to including the trailing BSID characters at the end of the code) and then copy it to the clipboard. Step 6: tap the icon in your Android Gallery to launch the MP-1 application, the Import button (the Token Import Code was automatically pasted from the clipboard), the Import button again, in the button to install your MP token. If your MP token is token-side PIN protected and depending on your organization s policies, you may be required to change the PIN on first use: enter your new PIN, tap Done, you are required to re-enter it for verification purposes, and then tap Done. If successful, the following screen is displayed: Copyright Orange Business Services 87 of 96
Step 7: switch to your Web browser and close it. Your MP token is now active and able to generate OTPs Copyright Orange Business Services 88 of 96
authenticating with a MP token QUICKLog operation mode You have the ability to authenticate with your MP token against any systems that require a logon password (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, click the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Tap the Sign In button, and then the Sign in using your token button. Step 2: tap the icon in your Android Gallery to launch the MP-1 application, then select your MP Token (depending on your organization s policies, you may need to enter your PIN). Copy the generated OTP to the clipboard. From the Service Portal Web, enter your User ID in the User ID field, paste the passcode from the clipboard in the OTP field (depending on your organization s policies, you may need to enter your PIN either before or after the passcode), and then tap the OK button. Copyright Orange Business Services 89 of 96
Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 90 of 96
challenge-response operation mode You have the ability to authenticate with your MP token only against systems that support challenge-response operation mode (such as your Self-Service Portal described below). Step 1: open the Self-enrollment email notification you previously received, tap the Self- Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. Tap the Sign In button, the Sign in using your token button, enter your User ID in the User ID field, tap the OK button without entering any value in the OTP field, and then copy the displayed challenge to the clipboard. Step 2: tap the icon in your Android Gallery to launch the MP-1 application, and then select your MP Token (depending on your organization s policies, you may need to enter your PIN), paste the challenge code from the clipboard in the Challenge Code field, tap the Done button, and then copy the generated OTP to the clipboard. From the Service Portal Web, paste the passcode from the clipboard in the OTP field, and then tap the OK button. Step 3: if successful, the homepage of your Self-Service Portal is displayed again, but the Sign In button has been replaced by the Sign Out one. Copyright Orange Business Services 91 of 96
MP-1 application features Tap the icon in your Android Gallery to launch the MP-1 application. viewing MP-1 application information Pad the icon in the bottom right corner. viewing MP token information Edit your MP Token, and then tap the Operation tile. Copyright Orange Business Services 92 of 96
renaming a MP token Edit your MP Token, tap the Rename Token tile, enter your new token name, and then tap the Done button. resetting a MP token PIN (token-side only) Edit your MP Token, tap the Change PIN tile, enter your new PIN, tap the Done button, reenter your new PIN (for verification purposes), and then tap the Done button again. Copyright Orange Business Services 93 of 96
deleting a MP token This option should only be used on instruction from your IT administrator. Tap the tile of the MP token you want to delete, the Edit button, the button, and the Delete Token button to confirm. icon, the Delete updating the MP-1 application Updates are automatically managed by the Google Play store. uninstalling the MP-1 application This option should only be used on instruction from your IT administrator. Follow the Android standard process to uninstall the MP-1 application. Self-Service Portal features Refer to the FI-MFA Service Portal for MP chapter (click here for direct access). Copyright Orange Business Services 94 of 96
Self-Service Portal for MP accessing the Self-Service Portal Web site Open the Self-enrollment email notification you previously received, click the Self-Service Portal Web site link (beginning with https://ss.safenet-inc.com/...), and then switch to your Web browser to display the homepage. resynchronizing a MP token Step 1: from the Self-Service Portal homepage, click the Resync Token icon, enter your User ID in the User ID field, click the Next button, enter the serial number of your MP token in the Serial field (refer to the viewing MP token information chapter to retrieve the serial number), and then click the Next button. Step 2: copy the displayed challenge to the clipboard. Step 3: select your MP token from your OTP application, select the Resync Token option, paste the challenge code and generate the response code. Step 4: enter this response code in the Response field, and then click the OK button. Step 5: in case of success, the Token successfully synchronized. message is displayed. You can close your Web browser. Copyright Orange Business Services 95 of 96