Using programmable TOTP hardware token with Salesforce MFA

If your company requires multifactor authentication (MFA) for increased security when you log in or access connected apps, reports, or dashboards, use a code from the app. If MFA is turned on, and you haven’t set up a verification method yet, you’re prompted to register the next time you log in to Salesforce.

As our programmable hardware tokens act as drop-in replacement of TOTP apps, you can enroll a hardware token to be used with Salesforce MFA. 

⚠ Please note that the recommended MFA method for Salesforce is using security keys. You can use the TOTP hardware tokens in situations where using security keys is not feasible, i.e. if you cannot use a USB port, the security keys option is not enabled for your organization etc.

Requirements

  • A Salesforce account (regular, no admin rights needed)
  • A Token2 programmable token (the guide below shows C301i  as an example)
  • An iPhone or Android device with NFC enabled (alternatively, Windows or Python with special NFC hardware can be used as well) - this is needed for the enrollment only, subsequent logins will only require the hardware token

The steps below are describing the process using iPhone and C301i token, but please note that the same operation can be done using any of our programmable tokens and supported platforms (i.e. Android or Windows) with minor differences. 

1. Install the provisioning tool

Download and install the supported provisioning app for your device type. Refer to this page to find the correct app for your token and the operating system. For our example, we selected the C301i as the token model and iPhone as the platform. If you use another token model or platform, choose the correct ones from the list.

Using programmable TOTP hardware token with Salesforce MFA


Enroll the hardware token

  • Click on your user avatar (right top corner) and select Settings
    Securing Salesforce account with Token2 Security keys

  • From the user settings page, click on 'Advanced User Details', then on the right window, find 'App Registration: One-Time Password Authenticator' and click on 'Connect'
    Using programmable TOTP hardware token with Salesforce MFA

  • For security purposes, you’re prompted to log in to your account
  • On the next window, Salesforce will show you a QR code similar to the one shown below
    Using programmable TOTP hardware token with Salesforce MFA

  • Burn the hardware token using the instructions below



    • Launch the NFC burner app on your Android device and hit the "QR" button



    • Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear
    • Turn on the token and touch it with your phone (make sure it is overlapped by the NFC antenna) and click "Connect" on the app
    • Upon successful connection, click the "Burn seed" button. If NFC link is established and the code is correctly scanned, you should see a status window showing "Burning..." and eventually (in a second or two), "burn seed successful.." message in the log window




    Follow the steps below to perform setting the seed for your token using Windows App.

    1. Launch the exe file, then select the NFC device from the drop-down list and click on "Connect". You should see a message box notifying about a successful operation.

    Token2 NFC Burner app for Windows


    2. Enter or paste the seed in base32 format, or use one of the QR scanning methods to populate this field

    3. Place the token onto the NFC module and wait for its serial number to appear

    Token2 NFC Burner app for Windows

    4. Click on "Burn seed" button. A log entry with the serial number and "Successful operation" text will be logged in the log window.

    Token2 NFC Burner app for Windows


    • Launch the NFC burner app on your iPhone device and hit the "scan QR" button



    • Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear and the seed field will be populated with the hex value of the seed
    • Touch the Burn button, then turn on the token and touch the top of your iPhone with the token
    • Check the results of the process in the Results log field




    Please note that the procedures above are shown only as examples and are valid to single profile TOTP tokens only. The procedure for multi-profile and USB-programmable devices are similar but slightly different
  • In the Salesforce window, enter the 6 digit OTP shown on the token and click Connect
    Using programmable TOTP hardware token with Salesforce MFA

  • If the process was done correctly and the code is accepted, you will be redirected to the main page

Now the account ready to use this identity verification method. When Salesforce prompts you for your OTP code generated by the Authenticator app, just press the button on your hardware token and enter the 6 digits generated by the device.