Tokens General Information

Tokens are authentication methods used as a second factor in authenticating ana user's identity. there are a variety of token types that ana user can ~~enroll,~~enroll in, from SMS or email ~~tokens,~~tokens to Google Authenticator tokens, to hardware tokens in the form of cards or tokens. Each user ~~enrolls~~enrols at least one token when registering for the system. ~~each~~Each user must have at least one token active, regardless of its type. Not every function is available for every type of ~~tokens.~~token.

Available actions for userusers with appropriate privileges:

Add a new token		Register the new token.
Edit existing token		Modify user comment (if allowed) or mobile phone number for SMS token or email address for Email token.
Delete token		Permanently delete a token.
Test of token		Test a token to verify that it is working correctly.
Reset token		Reset of a non-synchronous token.
Disable temporarily / enable token		Disable or enable token - disabled token can't be used for verification as a second factor.
Display token detail	[click on the row]	Display the page with all the details of the specific token.

The list of available actions for the tokens depends on the type of the token and assigned privileges. ~~E.g.~~For example, an SMS token can't be ~~reseted~~reset due to its nature, or users from a specific group can't delete the token due to company policy. The configuration is done on the administrator level.

Status of the token:

ACTIVE		The token is active and ready to be used for user identity verification (in login or approval processes).
DISABLED		The token is disabled and cannot be used to authenticate the user's identity.
OBSOLETE		~~Token~~A token is out of date and it needs to be deleted and registered another one. For example, if it is an SMS or EMAIL token, it is possible to delete it and replace it with a so-called Virtual token, which works ~~exactly~~ the same - based on sending an OTP to an email address or mobile phone.

Adding a new token

Enrollment of the tokens is slightly different from type to type. For detailed instructions visit the page for the specific token:

SMS token
Email token
Virtual token (combination of SMS or Email token type - see above)
MS Authenticator token (mostly TOTP (Time-based One-time Password) type of token)
Google Authenticator token (mostly HOTP (HMAC-Based One-Time Password) type of token)
Physical TOTP token
Physical HOTP token
ANT ID Token (password-less type of token using application ANT ID - OTP)
FIDO2 token

Click on the links to see the ~~detail~~details of the enrollment of specific ~~token.~~tokens.

~~Token types~~Token-type names are fully adjustable by the administrator, so itthey could be different from the used samples.

Modify an existing token

1	Open the Selfservice, go to the Account section and open the Tokens tab.
2	Press the EDIT button [ ] within the chosen token from the context menu [ ]. Not all token types allow editing - SMS or Email ~~token~~tokens (or Virtual ~~token)~~tokens) allow to change the email address or mobile phone number. Other tokens allow to change the Description if this value was entered during enrollment.
3	A new form with the parameters of the token will be opened.
4	Adjust the available parameters and press the SAVE button to save the changes.

Deleting a token

Open the Selfservice, go to the Account section and open the Tokens tab.

Press the DELETE button [ ] within the chosen token from the context menu [ ] and confirm the removal.

Note: a user must always have at least one token in an active state, which means they cannot delete all their tokens.

Note: in case ~~that~~ the token operations are set as approvable actions, then the approval process will be started at this point.

If the deletion is possible (and possibly approved) the token is removed from the list of tokens.

Token test

1	Open the Selfservice, go to the Account section and open the Tokens tab.
2	Press the TEST button [ ] within the chosen token from the context menu [ ].
3	The application opens a new page for the test of the token. All tokens have their own test procedures: SMS, Email or ~~Virual~~Virtual token HOTP/TOTP tokens HW HOTP/TOTP tokens ANT ID - OTP FIDO2 token
5	If everything is correct, you will see information about the successful test.
6	If the token test result is negative, you can do any of the following: delete the token and ~~enroll~~enrol it again reset the token - not all token types ~~allows~~allow it (applies to HOTP type tokens) contact support if the token is, for example, a HW token

Token reset

1	Open the Selfservice, go to the Account section and open the Tokens tab.
2	Press the RESET button [ ] within the chosen token from the context menu [ ]. Note: not all token types allow the reset action to be performed (mainly ~~hotp~~HOTP types of tokens).
3	The token reset form will be opened.
4	Generate two consecutive one-time passwords (OTP) from Google authenticator or a HW token key, enter them into the form and press the RESET button. It is necessary to follow the order of entering both OTPs
5	If everything is correct, you will see information about the successful reset.

Disable temporarily / enable token

Open the Selfservice, go to the Account section and open the Tokens tab.

Press the DISABLE TEMPORARILY button [ ] within the chosen token from the context menu [ ] and confirm the ~~disable /~~ disable/enable action

Note: a user must always have at least one token in an active state, which means they cannot disable all their tokens.

The token will be disabled - the status will change to DISABLED - and it won't be possible to authorize by this token within the ~~loging~~logging or any other operation.

Display token detail

1	Open the Selfservice, go to the Account section and open the Tokens tab.
2	Select the desired token and ~~mouse~~ mouse-click on the selected row.
4	the drawer with the ~~detail~~details of the token will be opened: Status - status of the token (ACTIVE / DISABLED) Description - user description of the token - optional Device - in the case of HW tokens where the device identification is part of the parameters of the token Last used - date of last usage of the token (for authentication) Updated - date of last update of the token Expires - in the case of tokens where the expiration date is part of the parameters of the token
5	~~Drawer~~The drawer also contains buttons for operations available for the token: in the context menu on the title of the drawer [ ]. EDIT button to modify the parameters of the token [ ].