Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

Push OTP

Requirements and considerations for Push OTP

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - SAS PCE Windows Services Startup Recommendations
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Operators
- External Operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
Push OTP
Requirements and considerations for Push OTP

Requirements and considerations for Push OTP

Push OTP is supported in SAS PCE 3.9.1 GA version or later.
MobilePASS+ Push OTP is supported on the following OS platforms:
- Android 8.0 or later
- iOS 14 or later
MobilePASS 8 does not support Push OTP.
Network access to use push and grant push permissions is required.
Thales Push Service cannot guarantee the delivery of a push notification, since this is under the control of the push notification service providers (Apple and Google) and other factors, such as network connectivity.

If a push notification is not delivered, users can always fall back to manual OTP authentication.

For existing customers, a new token must be enrolled on MobilePASS+ to be able to use push.

Application integration

Any application that is integrated through SafeNet RADIUS Service (FreeRADIUS) or SafeNet Agent for AD FS can support Push OTP. Note that the new SafeNet Agent for AD FS must be installed. For additional details, refer to Configure applications for Push OTP section.

Integration guides for Push OTP are available in the knowledge base section of the Customer Support Portal (Knowledge Center > Search the Knowledge Base). These guides describe how to deploy multi-factor authentication (MFA) options in third-party applications using MobilePASS+.

Simple mode is available for all SafeNet RADIUS Service integrations. With simple mode, if Push OTP is enabled, the user can trigger a push notification by leaving the passcode field empty, or by entering any 1-character passcode (excluding s or g if either SMS or GrIDsure tokens are present). Refer to Triggering Push notifications in the agent section.

Deployment considerations

Before deploying MobilePASS+ with Push OTP, consider the following:

If your users are primarily Android and iPhone users, then deploy MobilePASS+.
If your apps are listed in the integration table, then deploy MobilePASS+.
If your users or apps do not, or only possibly, meet the criteria above, then clarify the scope. For example, if your users are iPhone and BlackBerry users, Push OTP is available for only your iPhone users, and BlackBerry users must continue to use MobilePASS 8. If this is acceptable, deploy MobilePASS+ for your iPhone users.

How do I migrate current users?

Existing MobilePASS tokens on MobilePASS 8 cannot be used for MobilePASS+. Users who are currently using MobilePASS tokens need to enroll new MobilePASS tokens on MobilePASS+ to use Push OTP.

You need MobilePASS tokens in inventory to migrate users from MobilePASS 8 to MobilePASS+. After users enroll new tokens in MobilePASS+, you can revoke their tokens in MobilePASS 8, return them to inventory, and then reuse them to migrate more users from MobilePASS 8 to MobilePASS+.

Checklist: Set up Push OTP for new accounts

You can select one MobilePASS application per OS type. For example, you can enable iOS for either MobilePASS+ or MobilePASS 8, but not both.
- In the SAS console, select Policy > Token Policies > Software Token & Push OTP Settings > Allowed Targets and Push Notification Settings.
- Make any changes to the platforms that you want to deploy Push OTP on. They must use MobilePASS+.
(Optional) Configure user (refer to Set the Push OTP rejection policy (optional))and operator policies for rejected Push notifications (refer to Set the Operator policy).
Allocate MobilePASS tokens. MobilePASS 8 and MobilePASS+ use the same token type.
(Optional) Customize the rejection alert for the user and Operator, and the self-enrollment page and email template.
To configure application integrations to support Push OTP, do one of the following:
- Install and configure the new SafeNet Agent for AD FS 2.0.
- Set the combination of RADIUS timeout and retry values to at least 60 seconds for SafeNet RADIUS Service (FreeRADIUS). For example:
  - Multiple NPS servers (backup and failover): Timeout: 60 seconds, Retries: 1
  - Single NPS server: Timeout: 20 seconds, Retries: 3
- Deploy SafeNet Agent for NPS 2.0.
Provision MobilePASS tokens to users.
Users must download the MobilePASS+ app and complete the self-enrollment.

Checklist: Set up Push OTP for existing accounts

Enable Push OTP. By default, the feature is disabled.

Once enabled, follow the intructiones mentioned in the above checklist. The only difference in setting up Push OTP for existing accounts is you need to enroll a new token on MobilePASS+. You can also revoke (optional) MobilePASS 8 tokens that are no longer needed.

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com