Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All

Push OTP

Requirements and considerations for push OTP

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Push OTP
Requirements and considerations for push OTP

Requirements and considerations for push OTP

Push OTP is supported in STA.
MobilePASS+ Push OTP is supported on the following OS platforms:
- Android 4.0 or later
- iOS 8 or later
MobilePASS 8 does not support Push OTP.
Network access to use push and grant push permissions is required.
STA cannot guarantee the delivery of a push notification, since this is under the control of the push notification service providers (Apple and Google) and other factors, such as network connectivity.

If a push notification is not delivered, users can always fall back to manual OTP authentication.

For existing customers, a new token must be enrolled on MobilePASS+ to be able to use push.

Application integration

Any application that is integrated through SafeNet RADIUS Service (FreeRADIUS), SafeNet SAML Service, or SafeNet Agent for AD FS can support Push OTP. Note that the new SafeNet Agent for AD FS must be installed. For additional details, refer to Configure applications for push OTP.

Integration guides for Push OTP are available in the knowledge base section of the Customer Support Portal. These guides describe how to deploy multi-factor authentication (MFA) options in third-party applications using MobilePASS+ managed by STA.

Simple mode is available for all SafeNet RADIUS Service integrations. With simple mode, if Push OTP is enabled, the user can trigger a push notification by leaving the passcode field empty, or by entering any 1-character passcode (excluding s or g if either SMS or GrIDsure tokens are present). Refer to Triggering push notifications in the agent.

Deployment considerations

Before deploying MobilePASS+ with Push OTP, consider the following:

If your users are primarily Android and iPhone users, then deploy MobilePASS+.
If your apps are listed in the integration table, or integrated using SAML, then deploy MobilePASS+.
If your users or apps do not, or only possibly, meet the criteria above, then clarify the scope. For example, if your users are iPhone and BlackBerry users, Push OTP is available for only your iPhone users, and BlackBerry users must continue to use MobilePASS 8.
If this is acceptable, deploy MobilePASS+ for your iPhone users.
How do I migrate current users?

Existing MobilePASS tokens on MobilePASS 8 cannot be used for MobilePASS+. Users who are currently using MobilePASS tokens need to enroll new MobilePASS tokens on MobilePASS+ to use Push OTP.

You need MobilePASS tokens in inventory to migrate users from MobilePASS 8 to MobilePASS+. After users enroll new tokens in MobilePASS+, you can revoke their tokens in MobilePASS 8, return them to inventory, and then reuse them to migrate more users from MobilePASS 8 to MobilePASS+.

Token types and licenses

There is no difference between MobilePASS+ and MobilePASS 8 token types in terms of commercial license and pricing, allocations, provisioning tasks, and auto-provisioning rules.

Checklist: Set up push OTP for new accounts

MobilePASS application

You can select one MobilePASS application per OS type. For example, you can enable iOS for either MobilePASS+ or MobilePASS 8, but not both.

In the STA Token Management console, select Policy > Token Policies > Allowed Targets and Push Notification Settings.
Make any changes to the platforms that you want to deploy Push OTP on. They must use MobilePASS+.

See Enable the allowed targets and push notifications.

(Optional) Policies for rejected push notifications

(Optional) Configure user and operator policies for rejected push notifications.

See Set the push OTP rejection policy (optional).

See Set the operator policy.

Allocate MobilePASS tokens

Allocate MobilePASS tokens. MobilePASS 8 and MobilePASS+ use the same token type.

(Optional) Rejection alert messages

(Optional) Customize the user and operator push notification rejection alert messages, and the self-enrollment page and email template.

See Customize the rejection alert for the user and Customize the rejection alert for the internal operator.

See Customize the self-enrollment page and email template.

Application integrations

To configure application integrations to support Push OTP, do one of the following:

Install and configure the new SafeNet Agent for AD FS 2.0.
Set the combination of RADIUS timeout and retry values to at least 60 seconds for SafeNet RADIUS Service (FreeRADIUS). For example:
- Multiple NPS servers (backup and failover): Timeout: 60 seconds, Retries: 1
- Single NPS server: Timeout: 20 seconds, Retries: 3
- Configure SAML services to display Push OTP user controls on the Login page.
- Deploy SafeNet Agent for NPS 2.0.

See Configure applications for push OTP

Provision MobilePASS tokens to users.

Users must download the MobilePASS+ app and complete the self-enrollment.

See Token management and enrollment and the MobilePASS+ documentation.

Checklist: Set up push OTP for existing accounts

Enable Push OTP

By default, the feature is disabled.

See Enable the allowed targets and push notifications.

Select targets

You can select one MobilePASS application per OS type. For example, for iOS you can enable either MobilePASS+ or MobilePASS 8, but not both.

In the STA Token Management console, select Policy > Token Policies > Allowed Targets and Push Notification Settings.
Make any changes to the platforms that you want to deploy Push OTP on.

See Enable push OTP and MobilePASS+.

Push rejection policies (Optional)

Configure user and operator policies for rejected push notifications.

See Enable push OTP and MobilePASS+ and Set the operator policy.

Allocate additional MobilePASS tokens.

MobilePASS 8 and MobilePASS+ use the same token type.

Revoke MobilePASS 8 tokens that are no longer needed (Optional)

Enroll a new token on MobilePASS+ to use Push OTP.

Push rejection alerts (Optional)

Customize the user and operator push notification rejection alert messages, the self-enrollment page, and the email template.

See Customize the rejection alert for the user, Customize the rejection alert for the internal operator, and Customize the self-enrollment page and email template.

Configure applications

To configure application integrations to support Push OTP, do one of the following:

Install and configure the new SafeNet Agent for AD FS 2.0.
Set the combination of RADIUS timeout and retry values to at least 60 seconds for SafeNet RADIUS Service (FreeRADIUS). For example:
- Multiple NPS servers (backup and failover): Timeout: 60 seconds, Retries: 1
- Single NPS server: Timeout: 20 seconds, Retries: 3
Configure SAML services to display Push OTP user controls on the Login page.
Deploy SafeNet Agent for NPS 2.0.

See Configure applications for push OTP.

User self-enrollment

Users must download the MobilePASS+ app and complete the self-enrollment.

See Token management and enrollment and the MobilePASS+ documentation.

On this page

SafeNet Trusted Access

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com