Requesting factory-set seeds for Token2 hardware tokens

What does it cost?

There is no additional cost nor license fees for requesting the seeds in any format. 

Who is authorized to request the seeds?

The seeds can be requested only by the users listed as authorized to receive the seeds. When placing the order, you can specify the additional email addresses in the "Additional info" field. If you are using purchase orders to place orders with us, the email addresses can be specified in the PO as well.

The order owner can also add additional addresses authorized to request seeds in the customer area. The procedure is described here

Which hardware devices can I request the seeds for?

In principle, any standalone TOTP token model comes pre-seeded, and you can request factory-set seeds for both classic and programmable tokens. The factory-set seeds for programmable tokens are used for quality checks at the factory, but they are not removed afterward, therefore the process is exactly the same. Please note that there is no "factory reset" for the seeds, and if the token was reprogrammed and/or reconfigured, there is no way to use the factory seeds.

Security keys with OTP algorithm functionality can be used as TOTP/HOTP tokens, but they come with empty seeds, and you should generate new ones using special tools we provide. For this reason, there are no seed request procedures applicable to security keys.

Requesting seeds

After your order was physically delivered, you can request the seeds for the tokens in multiple formats, including an Azure MFA compatible CSV file, encrypted with a PGP or GPG public key or in a password-protected zip file. 

⚠ Important: by submitting this seed request, you are confirming that the physical products of your order have been successfully delivered. It is not recommended to request the seeds before the delivery as you will lose the possibility to get the products resent or a refund in case of a damaged product or failed delivery.

To request the seeds, navigate to your order page. The order page is a unique URL sent by Token2 several times (at least twice: when you pay for the order and when the order is shipped). Scroll down to the list of serial numbers and click on "Request Seeds" button.

Requesting factory-set seeds for Token2 hardware tokens

This will redirect you to a pre-filled seed request form. Only the following information is expected to be clarified by the end-users:

  • Encryption method: you can use PGP by providing your public PGP or GPG key (recommended option), or, if you are not familiar with PGP, a password-protected zip file (you are expected to enter a strong password - containing English letters and digits). Important: do not use both methods.

    Requesting factory-set seeds for Token2 hardware tokens

  • Choose the format you want the seeds to be sent under "Secret Key Format" section. For Azure MFA, choose "CSV for Azure MFA..."

    Requesting factory-set seeds for Token2 hardware tokens

After completing the form, click on Send button to submit your request. This will send the request along with creating a support ticket assigned to one of our technical support agents. Shortly after, you will receive an update (both via email and via our support portal) with the seeds in the requested format as attachments or as downloadable links.

Please note that this process requires manual verification, but usually is fast if the request is received within our working hours (9AM to 6PM, CET timezone). Your email address has to be listed as authorized for the order, otherwise the request will be rejected.

Importing the seed file to Azure MFA

Follow the instructions here to complete the import process. Kindly note that you need Azure AD (Microsoft Entra ID) Premium P1 or P2 license to be able to use this method.

Frequently asked questions

Q. How do I decrypt the PGP file?
A. Please note that we do not provide support for GPG or PGP tools or software. If you don't feel comfortable dealing with asymmetric encryption, use a password-protected zip file method instead.

Q. Why is the PGP file sent as a zero-sized file which I cannot decrypt?
This usually happens when the public key submitted in the seed request form is malformed or corrupted. Recheck the public key content (make sure the '-----BEGIN PGP PUBLIC KEY BLOCK-----' and '-----END PGP PUBLIC KEY BLOCK-----' lines are present) and submit your seed request again.

Q. Why I cannot unzip the zip archive sent?
As the request is sent to our web server, some characters (such as slashes, quotes, backticks, etc.) may have been sanitized by the web security engine of the CDN we use. You can retry using letters and digits (specify a longer password to keep the security at a good level).

Q. Why is the file I received named .txt, not .csv?
If we keep the file with .csv, it will, by default, open in Excel, which breaks the format of the file when editing. As mentioned already, please use a plain text editor (such as Notepad) to modify the contents. You can keep the extension as .txt; Azure accepts it with no issues.

Q. Why was my seed request rejected and closed?
This happens in the following cases:

  • Your email address has to be listed as authorized for the order, otherwise the request will be rejected
  • The serial number of the tokens does not match the list of the serial numbers recorded. This may happen if you manually entered the serial numbers: please note that you normally should not enter the serial numbers - if you access the seed request form from your order page by using the 'Request seeds' button, the list of the serial numbers should be populated automatically
  • The order ID is not correct or not matching: please note that you should be using the order ID (currently 4 or more digits), which is also called 'seed request ID'. This ID may be different from the invoice number or purchase order number. If you bought the tokens via a reseller, ask them to provide your order's seed request URL