Soft Tokens

SecurEnvoy MFA SoftToken Functionality

• Soft Token application available for: iPhone, Android, Mac OSX as well as Microsoft Windows 10 and 11 operating systems
• Seamlessly move between devices securely with no additional cost or helpdesk calls. The previous device is deleted rendering it safe to sell or dispose
• QR codes speed deployment (Quick Response Code) for rapid user enrolment
• Automatically handles international time zones changes when travelling
• Enhanced Copy protection

Changing devices

Users can self-migrate to a new phone model by simply enrolling their new phone. They use their old phone app or SMS to make a two-factor authentication to the enrolment portal. Then simply scan the QR Code to provision the new phone with a new seed record at no additional cost. The security server automatically deletes the old phone’s seed record rendering the old phone safe to dispose of or resell.

Simple QR Code Enrolment

End-user convenience of enrolment and a simple process. For the organisation there is nothing they need to do. It is the choice of the user to choose whether they want their two-factor authentication passcode sent via what device and by what method!

Reduced Administration

User Administration is significantly reduced, as SecurEnvoy’s “Deployment Wizard” can automate user deployment and allows the user to be in control of which device they use and the type of authentication method they prefer.

User deployment can be achieved on Group membership, OU or any other LDAP filtering. The SecurEnvoy “Reporting Wizard” provides detailed information about what mode of operation each user is setup for, allowing Administrators to control and monitor their 2FA estate.

Soft Token – at No Additional Cost

All SecurEnvoy customers can utilise the latest Soft Token at no additional cost. This allows users who may have issues with SMS deliverability to use a soft token, or for customers who wish to manage and reduce their existing SMS costs.

Soft Token Security

SecurEnvoy Soft Token, is OATH TOTP compliant, but with additional security enhancements to the OATH specification. These are:

• Secure Copy protection locks the Seed record for generating passcodes to the phone. The innovative approach allows the SecurEnvoy security server to generate the first part of the seed, the second part of the seed is generated from a “Fingerprint” from the phone when time the Soft Token application is run for enrolment and each time the Soft Token application is run to generate a passcode.
• Protection of the Seed records. The Seed records are dynamically generated by the Server/phone are and are stored with a FIPS 140 approved encryption algorithm, this encrypted data is generated and stored at the customer premise. SecurEnvoy do not store or keep any sensitive customer seed records.
• Stored DATA. All stored authentication data is generated and encrypted with AES 256-bit encryption and is kept within the customer LDAP server. SecurEnvoy support all LDAP v2 and v3 compliant directory servers for example Microsoft Active Directory or LDS.
• Biometric Security.  Additional security can be applied by enforcing PIN or Biometric to accept push notifications or unlock OTP codes.

Security Watermarking

The SecurEnvoy Security Server deletes the used passcode and any previous passcodes from the system, thereby alleviating any replay attacks from any used or any previous unused passcodes. This process is known as “Watermarking”.

Automatic Time Re-sync

When a user travels overseas, typically their phone will sync to the new country time once they have arrived at their destination. The OATH-compliant algorithm then derives passcodes based upon this new time, which could be many hours forward or backward in time. SecurEnvoy has a unique approach that will handle users in this conundrum, where it allows complete unhindered worldwide travel for the user.