Importing OATH tokens in bulk
You can authenticate with Privileged Access Service using your existing third-party OATH tokens (for example, those generated by a YubiKey) by bulk uploading those tokens. Privileged Access Service uses those tokens to generate one-time passcodes (OTP) that users with registered devices can immediately use to log in to the admin portal.
Users without registered devices must first log in to the Admin Portal and scan the Privileged Access Service generated QR code (using a third party authenticator) to get the passcode pushed to their devices. You can direct users to Using OTPs to authenticate.
When you upload these tokens, they will override any existing passcode users may have generated by scanning the Privileged Access Service generated QR code.
Before you start importing OATH tokens, you need a CSV file with the following column headers (header names must match exactly):
- User Principle Name
- Secret Key (HEX)
- Account Name
- OTP Digits
Important: The secret keys in the CSV file must be in HEX format.
Privileged Access Service validates one OATH token per user. If your CSV file contains more than one OATH token for the same user, the last token (the one lowest in the spreadsheet) is validated for that user.
A CSV file template is available on the bulk upload page in Admin Portal.
- Log in to Admin Portal.
- Navigate to Access > OATH Tokens.
- Click Bulk Token Import.
- Click Browse, navigate to your CSV file, and upload it.
- Click Next.
Review the first 15 rows and if they look correct, click Next.
If you see an error, cancel the upload and fix the error.
- Confirm the email address or enter a different one where a bulk import report will be sent.
A bulk import report email is sent to the specified email address.
Refresh the OATH Tokens page to see the uploaded instance.
If you have not configured the OATH OTP policy, you need to do so before users can use the generated passcodes. When you configure the OATH OTP policy, you can also define if users can see the QR code from the Admin Portal. See How to configure OATH OTP.