Use OTP Hardware token as a 2nd Authentication method

Copper Contributor


Dear Reader,


In this post, I wrote about setting up a hardware OTP token if you don't currently have any of those tokens. I hope this helps you decide whether to migrate to this solution or not, in your production environment.


An OTP hardware token is a physical device that is used to generate one-time password (OTP) codes for authenticating users to Azure services. These tokens are often used in combination with Azure Active Directory, which is a cloud-based identity and access management service.


When a user attempts to log in to an Azure service, they will enter their username and password, and then use the hardware token to generate an OTP code. This code is then entered into the login screen to complete the authentication process.


The process for activating an OTP hardware token may vary depending on the specific token and the system in which it will be used. Here is a general outline of the steps that may be involved:

  1. Install the hardware token: Follow the manufacturer's instructions to install the hardware token on your device.
  2. Register the hardware token: To use the hardware token, you will need to register it with the system or service that you will be using it with. This may involve creating an account or linking the hardware token to an existing account.
  3. Activate the hardware token: Once the hardware token is installed and registered, you will need to activate it. This may involve entering a code that was provided with the hardware token or completing some other activation process.
  4. Set up your hardware token: After the hardware token is activated, you may need to set up additional security measures, such as a PIN code, to use the hardware token. 
  5. Use the hardware token: Once the hardware token is set up and activated, you can use it to generate OTPs when logging in to your account or accessing sensitive information.

Again, the exact steps for activating an OTP hardware token may vary depending on the specific token and system you are using. Be sure to follow the manufacturer's instructions carefully to ensure that the hardware token is properly activated.


In my situation, I'm going to use the TOTP Toolset from to emulate the Hardware Token. It is suitable for practicing the whole process before buying or configuring OTP hardware tokens in productive Infrastructure. 


About "Seed in base32" (We are generating this file to activate our OTP Hardware Token before using it)


In the context of OTP hardware tokens, a seed in base32 is a string of characters that is used to generate one-time passwords (OTPs). The seed is typically provided by the manufacturer of the hardware token and is used to initialize the token's internal state.


Base32 is a notation for encoding arbitrary byte data using a restricted set of symbols that can be conveniently used by humans and processed by computers. It is often used to represent data, such as seeds, in a compact and easy-to-read format.


To generate an OTP using a seed in base32, the hardware token uses an algorithm to generate a unique password based on the current time and the seed. The OTP is typically valid for a short period, after which a new OTP must be generated.


To use a seed in base32 with a hardware token, you will typically need to enter the seed into the token or provide it to the system or service that you are using the token with. The exact process for doing this will depend on the specific hardware token and system you are using.


Seed in base32 format looks like:

upn,serial number,secret key,timeinterval,manufacturer,model
email address removed for privacy reasons,2300000000002,ABXYZ_VALUE_IN_BASE32,30,Token2,miniOTP-1




After generating the file in ".csv" format we should upload it to Azure Active Directory.


Upload the ".csv" file to Azure Active Directory.



After uploading we need to activate Hardware OTP Token.



It is time to write the OTP on the Hardware Token. In our Situation, it is a TOTP Toolset-generated Code.




After successfully activating you will get the notification.




In Microsoft Azure Active Directory (Azure AD), legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies are being deprecated and replaced with modern alternatives.

Legacy MFA policies refer to older methods of implementing multifactor authentication in Azure AD, such as phone calls, SMS, and mobile app verification. These methods are being replaced with Azure MFA, which provides a more secure and scalable solution for implementing multifactor authentication.

Legacy SSPR policies refer to older methods of allowing users to reset their passwords in Azure AD, such as using security questions or requiring the assistance of an administrator. These methods are being replaced with Azure AD Passwordless, which allows users to reset their passwords using techniques such as email, phone, or the Microsoft Authenticator app.

Azure AD is deprecating these legacy policies to provide users with more secure and convenient authentication and password management solutions. It is recommended to migrate to the modern alternatives as soon as possible to ensure your Azure AD environment's continued security and functionality.


Please check which authentication method you are using for users in your Tenant.?!




The next step is to create a Conditional Access Policy: 




 Checking the end user for authentication. After typing the username and password it will need a one-time OTP as a 2nd authentication method.


Remember! We can use a Hardware OTP only for a 2nd authentication method. It doesn't support passwordless.




As before mentioned we are typing here the TOTP Toolset-generated Code.








Please also read the full documentation provided by the OTP hardware token vendor and from Microsoft before going to the configuration steps.

I'm excited to publish this post and can't wait to hear what you think. I'd love to hear your feedback 


Farhad Khankishiyev

MA/MCP/MCA/ISO27001 Auditor


Azure Active Directory (AAD)

Microsoft Authenticator

Microsoft 365

Conditional Access


1 Reply
Thanks for the post Farhad