OATH Seed Versus OATH Tokens And What Each of Them Contain

    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • Cloud
  • Hybrid
  • On Premises
  • Version Affected:  All


    This article will allow you to understand the basics as to how OATH Seed and OATH Token generate Time-Based One Time Passcode (TOTP) values. This covers how OATH Seed and OATH Token are used by the SecureAuth IdP and typically by Authenticator apps such as SecureAuth Authenticate, Google Authenticator, and Microsoft Authenticator.

    For more information on what each Authenticator supports, we have an article on that.


    For context, an Authentication Realm is a realm where the user is prompted for a login. In these explanations the Authentication Realm is set up for Time-Based One Time Passcode 2FA. The Enrollment Realm is a realm designed to enroll users for an OATH Seed or OATH Token based on the settings chosen on the Post Authentication tab. The OATH Seed or OATH Token is then stored in the datastore linked.


    OATH Seed is just a string value that is able to be used with a combination of current time, passcode length, and passcode interval to create a unique TOTP. The OATH Seed is typically pulled from your datastore by the SecureAuth IdP in order to generate the TOTP needed to match against what is being put in by the user on the 2FA page. You can only have one OATH Seed value at at time, and if you enroll multiple devices with the same seed, they will all generate the same TOTP at that time.


    OATH Tokens are OATH Seeds with more information stored. This includes the Enrollment Realm's Passcode Length and Passcode Interval. So, it does not use the Authentication Realm's Passcode Length or Passcode Interval values because the values are already stored in the OATH Token itself. SecureAuth will be able to use what is the OATH Token without the help of the Authentication Realm's settings to match the TOTP. This makes it so that if you can have multiple unique OATH Tokens in the same OATH Token attribute. If you were to enroll your devices with these different OATH Tokens, each device would have a different TOTP at that time.

    Special Considerations:  

    These are just the basics as to what each of these does and how they generate their TOTP values. If you wish to change your configurations or learn more about support for each type, please visit our documentation site at https://docs.secureauth.com


    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.


    0 out of 0 found this helpful



    Please sign in to leave a comment.