How to obtain the seeds for your OTP tokens

One-time password tokens contain secret seeds that must be imported into access management software before they can be used with that software. This guide explains how to get the seeds for OTP tokens bought from Microcosm.

What are OTP seeds?

OTP tokens have a secret key burnt into them at production time. This value is called the "seed" and is known only to the token and the validating 2FA/MFA server. You obtain the seeds for your tokens in a file we call a "seeds file". The seeds file lists each token serial number and its corresponding seed. Importing the seeds file into your 2FA/MFA platform informs it of these tokens and then you can assign them to users for them to authenticate with.

How do I get the seeds for my tokens?

There are a few things you need to think about before receiving seeds for the first time:

  • Format - the file type of the seeds file. Refer to the documentation for your 2FA/MFA platform to see which format(s) it supports. Most solutions use plain text (TXT and CSV are the most common plain text formats), while some require PSKC.

  • Encoding - the way the binary data of the seeds is represented as text inside the file. The most common encodings are hexadecimal and base32. Again, the documentation for your authentication system will indicate which encoding it requires.

  • Security - the secrecy of the seeds is vital to the security provided by one-time passwords, so we provide a number of different ways to send the seeds to you securely. For example, we can put the seeds file inside an encrypted, password-protected ZIP file, then email you a download link for the ZIP file and send the password separately via SMS.

  • Recipient(s) - who will receive the seed file.

Once you have this information, log in to your Microcosm account to configure these settings and request the seeds.

On the Account Details page, scroll to OTP token seed preferences and decide whether you want to use the same settings for every order or if you want to choose the settings each time you order.

For most customers the best option is to use the same settings each time, and have the seeds sent to the person (or persons) in your organisation responsible for adding the tokens to your MFA platform and issuing them to users (e.g. your IT admins).

Resellers will have different customers with different requirements, so in most cases should choose to specify settings on a per-order basis.

Your next steps depend on which option you choose:

Specify settings to use for all orders

  1. Choose this option and enter your settings now. Seeds will be emailed to registered contacts on your account with the Receive OTP token seeds option selected. Click Update Details to save your settings.

  2. If this is your first order of OTP tokens, navigate to Past Orders and click the OTP token icon icon next to your order. On this page you can review the settings you just entered, and click Send Seeds to email the seeds.

    For future orders, when an order is dispatched the seeds will be issued automatically without you needing to do anything.

Ask me for every order

  1. Choose this option and click Update Details to save your choice.

  2. To specify the seed settings for an order, navigate to the Past Orders page and click the OTP token icon icon next to that order. On the next page, enter your settings, then click Update & Send Seeds to save them and email the seeds.

    For future orders, when an order is dispatched you will receive an email prompting you to visit your account and choose the settings for that order. Only then will the seeds be issued.