Using programmable hardware tokens with Azure AD B2C
On August 16th, 2022, Microsoft announced TOTP-based MFA for Azure AD B2C as generally available. The name used for this authentication method is "OATH software tokens", which is another name for TOTP authentication apps like Google Authenticator or Microsoft Authenticator.
This means that, unfortunately, classic OATH tokens that are currently available with Azure AD (still in preview), cannot be used for Azure AD B2C.
Luckily, you can still benefit from Token2 Programmable tokens as they act as a drop-in replacement for TOTP Apps - the only additional step required in this case is transferring the TOTP secret key (shown as a QR code during the MFA enrollment) onto the hardware token using one of our apps (NFC Burner or USB Config tool, depending on the hardware token model you have).
The guide below will provide basic instructions on how to provision a hardware token for Azure AD B2C MFA.
An iPhone or Android device with NFC* - this is needed for the enrollment only, subsequent logins will only require the hardware token
TOTP Authentication method has to be enabled for the desired user flow, refer to the Microsoft article for exact steps
[* Android and Windows versions are available for all models, but this guide will use the iPhone app as an example. iPhone apps are compatible with "-i" models only. Linux and macOS can be used for some models using a special NFC Writer device]
Provisioning the hardware token
When an Azure AD B2C application enables MFA using the TOTP option, end users need to use an authenticator app to generate TOTP codes. In our case, we will replace the authenticator app with a hardware token, but to transfer the QR code content onto the hardware token, we still need an app that will write the secret onto the token (or, in other words, burn it via NFC, in this example). This can be done by end-users (as long as they have an NFC-enabled device and one of our NFC Burner apps installed), or, alternatively an Azure AD B2C system admin or helpdesk person can help the end-users by following the steps below:
Download and install the NFC Burner app on your Android or iOS mobile device. The exact app must be chosen from this table by selecting the hardware token model in the left column)
Open the application requiring you to use TOTP for MFA, for example Contoso webapp, and then sign in or sign up by entering the required information.
If you're asked to enroll your account by scanning a QR code using an authenticator app, open the NFC Burner app and follow the steps below:
Launch the NFC burner app on your Android device and hit the "QR" button
Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear
Turn on the token and touch it with your phone (make sure it is overlapped by the NFC antenna) and click "Connect" on the app
Upon successful connection, click the "Burn seed" button. If NFC link is established and the code is correctly scanned, you should see a status window showing "Burning..." and eventually (in a second or two), "burn seed successful.." message in the log window
Follow the steps below to perform setting the seed for your token using Windows App.
1. Launch the exe file, then select the NFC device from the drop-down list and click on "Connect". You should see a message box notifying about a successful operation.
2. Enter the seed generated (in base32 format) :
3. Place the token onto the NFC module and wait for its serial number to appear.
4. Click on "Burn seed" button. A log entry with the serial number and "Successful operation" text will be logged in the log window.
Launch the NFC burner app on your iPhone device and hit the "scan QR" button
Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear and the seed field will be populated with the hex value of the seed
Touch the Burn button, then turn on the token and touch the top of your iPhone with the token
Check the results of the process in the Results log field
Please note that the procedures above are shown only as examples and are valid to single profile TOTP tokens only. The procedure for multi-profile and USB-programmable devices are similar but slightly different
After the token is provisioned successfully, continue with the web application:
In the application (for example, Contoso webapp), select Continue.
Turn the hardware token off, then on again (to make sure the newly written secret is used to generate the OTP)
In Enter your code, enter the code that appears on your hardware token's screen.
During subsequent sign-in to the application, type the code that appears on the hardware token, the NFC Burner app nor the device used to configure it will no longer be needed.
We detected that you are visiting this website from an EU country. We recommend to continue with our EU website.
Choose the location
We detected that you are visiting this website from United Kingdom. We recommend to continue with our GBP website. Please note that only pricing is changing, shipping is still from Switzerland
COVID19 Situation in Switzerland and France
Due to current preventive measures being taken against the COVID19 outbreak in Switzerland and France (such as border closures and potential lockdown of Geneva airport) we are expecting delays in shipping and delivery with both express delivery (Fedex/UPS) as well as the regular post In particular, as the office in France is currently not functioning, all orders placed on the EU website will be shipped from Switzerland instead.
Apologies for the inconvinience!
go to the product page (click on product title or Details link) and then click on the Buy options tab to change the quantity and product options or view available stock quantity.