Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

Push OTP

Push OTP authentications

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Operators
- External Operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
Push OTP
Push OTP authentications

Push OTP authentications

Triggering push notifications in the agent

The agents provide two user interaction models:

Simple mode, which is provided by the SafeNet RADIUS Service or SafeNet Agent for NPS 2.0
Rich user experience, which is provided by the SafeNet SAML Service and SafeNet Agent for AD FS.

Simple mode

With simple mode, if Push OTP is enabled, the user can trigger a push notification by:

leaving the passcode field empty, or
entering any 1-character passcode (excluding s or g if other authentication methods are present)

To override push and use another authentication method (if present), the user can:

enter s to trigger SMS, or
enter g to trigger GrIDsure

If Push OTP is disabled for the Virtual Server, an empty or any 1-character passcode triggers an SMS challenge-response or a GrIDsure, depending on the token type that the user has enrolled.

Passcode triggers are not case-sensitive.

For MS-CHAPv2 encryption, instead of any 1-character, the only passcode triggers that are allowed are p, s, g, or a space. Using any other character causes the authentication to fail.

Rich user experience

With the rich user experience provided by the SafeNet SAML Service and SafeNet Agent for AD FS, if Push OTP is enabled, the user is presented with the option to choose between using their mobile device to automatically send a passcode, or manually entering a passcode.

To override push and use another authentication method (if present), the user can:

Choose Enter a passcode manually, and then:
- enter s to trigger SMS, or
- enter g to trigger GrIDsure

If Push OTP is disabled for the Virtual Server, an empty or any 1-character passcode triggers an SMS challenge-response or GrIDsure, depending on the token type that the user has enrolled.

Passcode triggers are not case-sensitive.

For MS-CHAPv2 encryption: Instead of any 1-character, the only passcode triggers that are allowed are p, s, g, or a space. Using any other character causes the authentication to fail.

Push notification contents

Push notification includes the following content:

Resource Name: This is the application where the login request originated.
Organization Name: This matches the custom organization name that is defined in SAS (see Set the custom organization name).
User Name: This is the user who made the request (this name should match what was typed in during login on the application).
Timestamp: This is the login request start time, localized for display on the phone.
Geolocation and IP Address: This is the location and the user IP address where the request originated. For web-based agents, this is the browser IP address, and for login agents, this is the machine IP address. The user IP address is not supported for the SAS RADIUS service.

What happens...

...when a user accepts a push notification?

When a user receives a login request on their phone, and taps APPROVE, the notification automatically generates an OTP and sends it to Thales Push Service. When the authentication succeeds, the user is granted access to the protected resource.

...when a user denies a push notification?

When a user receives a login request on their phone and taps DENY, two options are presented:

It wasn’t me! — Tapping this option ends the authentication, and treats it as a failed authentication (as if the user had typed the wrong passcode).
I made a mistake — Tapping this option ends the authentication. This is treated the same as a timeout or expired notification.

If configured, rejecting a notification sends a push notification rejection alert email to the user and the operator. If the user’s account gets locked due to this Push OTP rejection, the body of this alert is appended to the user lockout alert that is sent to the user.

See the Customize the rejection alert for the user and Customize the rejection alert for the Internal Operator.

...if a push notification times out?

If a push notification times out, the user can either initiate push again, or manually enter a generated OTP.

...if a user is challenged for an OTP to resync the token?

If a user is challenged for an OTP to resync the token, the OTP is not automatically sent and has to be entered manually. In the SAS console in Snapshot > Authentication Activity, this is logged as an Outer Window Authentication event in the Result column, and the user needs to resynchronize the token by manually entering a new OTP.

Authentication activity logging

Push log activity can be viewed in the SAS console in Snapshot > Authentication Activity.

alt_text

Push notifications are listed in the Result column as Challenge, and are displayed with the same information that is included in the push notification to the user.
Push notifications that are accepted (approved) by the user are listed in the Result column as Success.
Push notifications that are rejected (deny & report) by the user are listed in the Result column as Failure, with a message to indicate that the failure was due to user rejection.
Push notifications that are ignored by the user do not result in another entry after the Challenge.

Push OTP authentication history report

This report lists Push OTP transactions and their outcome in chronological, descending order.

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com