MobilePASS+ token self-provisioning

You can offer your users the option to self-provision a SafeNet MobilePASS+ token. Self-provisioning means that users who don't already have a token can immediately enroll a new token on their own, without using an enrollment email.

The self-provisioning option is displayed on the user portal login screen when an access policy requires a one-time password (OTP) for authentication, but the user doesn't have a token yet. The self-provisioning option is displayed the first time that a user tries to log in to any service that is secured by the identity provider (IdP) and that requires an OTP. After the user enrolls a token, the self-provisioning option is no longer displayed.

How users self-provision a MobilePASS+ token

The self-provisioning workflow is triggered when an access policy requires an OTP and the user does not have a token yet. It forces the user to enroll a token before they can log in. After the user enrolls the token, they can use it immediately, to continue logging in.

The instructions for installing the authenticator and enrolling a token are provided in the language that is specified in the browser settings. Users can select a different language. If the instructions are not available in that language, the English instructions are displayed.

The self-provisioning workflow simplifies the process and guides the user through the steps:

1.The user attempts to access a service that is protected by STA and requires an OTP during authentication. The user is redirected to the IdP login screen.

2.The user enters their username. If your policies require it, they also enter their password.

STA determines that the user doesn't have a token yet, and needs to enroll and activate a token.

3.The user selects Add Authenticator.

STA sends the user a verification code by email.

4.The user enters the verification code.

5.The user chooses where they want to install the SafeNet MobilePASS+ authenticator app. The choices that are available depend on the target platforms that you configure.

For example, the user can install the app on either a mobile device or a Windows 10 computer.

For mobile devices, the user can use either an iOS or Android device.

With iPhone or iPad devices, users scan a QR code and install the app on their device. When it has finished installing, the app opens and starts the activation process.

With Android devices, users install the app from the Google Play store, and then scan a QR code to start the token activation process.

If the user selects On This Computer, the options depend on whether you pre-install the app for users or allow users to install the app.

6.The user follows the in-app instructions to activate a token with the authenticator app.

Depending on how the MobilePASS+ token template is configured and the type of device, the user might need to allow push notifications, set a PIN, or allow biometric PINs.

7. The user uses the new token or push OTP to log in.

Enable or disable MobilePASS+ self-provisioning

You can enable or disable the self-provisioning workflow for each virtual server. To enable self-provisioning, specify which user groups are offered the option to self-enroll a MobilePASS+ token. For new virtual servers, self-provisioning is enabled for all users.

Controlling which groups of users are allowed to self-provision a MobilePASS+ token allows you to stage deployment or test the self-provisioning workflow. For example, you can gradually add users to these groups or test the feature with a limited group of users, so that you can handle help desk requests and monitor the progress.

Any users who are not allowed to use self-provisioning continue to enroll using the provisioning email.

You can also configure the MobilePASS+ passcode and PIN requirements. You can configure more token settings on the STA Token Management console, in Policy > Token Policies.

1.On the STA Access Management console, select Settings > Self-Provisioning.

2.On the Self-Provisioning screen, select Edit.

3.In the Target Users section, select the users who are allowed to self-provision MobilePASS+ tokens:

All users: Enables self-provisioning for all users. This is the default for new virtual servers.

Members of these groups only: Enables self-provisioning for only members of the specified groups, like a whitelist.

All users except members of these groups: Enables self-provisioning for all users except the members of the specified groups, like a blacklist.

No users: Disables self-provisioning for all users. The self-provisioning option is not offered to any users on the login screen. Users can enroll tokens only with an enrollment email. This is the default for existing virtual servers.

4.Enter the user group names, if required.

The Target Platforms section displays the operating systems and device types where MobilePASS+ is allowed for the virtual server. These platforms are configure on the STA Token Management console, in Policies > Token Policies > Software Token & Push OTP Settings.

If MobilePASS+ is allowed on Windows 10, you can either pre-install the SafeNet MobilePASS+ app for your users, or allow your users to install the app.

5. For Windows 10, select one of the following options include a link to either the Microsoft Store or to the

Do not display a link to install the app: Select this option if you are pre-installing MobilePASS+ for the target users.

Display a link to the app on the Microsoft Store: Select this option if users are allowed to access it, so that they always have the latest app version.

Display a link to the installer (.exe): Select this option to provide a link that the target users can access.

6.Select Save.

Select the target platforms and push notifications

You can select the platforms on which users can enroll MobilePASS+ tokens. The platform is the combination of operating system and device type, such as Android mobile devices.

The target platforms that you select determine which targets are presented to users during MobilePASS+ token self-enrollment.

You can also control the availability of push based on the operating system and device type. For example, you can enable push on mobile devices but not on desktop devices, such as Windows 10, due to the complexity of push in a desktop environment.

1.On the STA Token Management console, select Policies > Token Policies > Software Token & Push OTP Settings.

2.In the Allowed Target and Push Notification Settings, select the Allowed check box and the check box for each platform:

MobilePASS+ is supported on the following platforms:

Operating system Device type
Android Mobile/tablet


Windows 10 Mobile


Windows 10 Desktop/tablet

3.To allow Push Notifications for an allowed platform, select Enabled.

4.Select Apply.

Configure the MobilePASS+ passcode and PIN requirements

Token templates provide the operating parameters, such as passcode or PIN strength, for a token. The templates are applied every time a token is enrolled.

You can customize the token templates, and therefore token operation, to adapt to changes in your security policy. Customizing a template does not affect tokens that are already initialized and does not affect tokens that are assigned to users.

1.On the STA Token Management console, select Policies > Token Policies > Token Templates.

2.In the Type list, select MobilePASS, and then select Edit.

3.Configure the passcode and PIN settings:

Parameter Description
Passcode Policy

Tokens can operate in either Challenge-Response or Quick Log mode. Quick Log mode is recommended because it simplifies the user login experience and strengthens security by eliminating the requirement to have the user key a challenge into a token to get an OTP.

Length The length determines the number of characters displayed as the OTP. The options are 6 characters (default) or 8 characters.

>Time-based:  Determines the number of seconds the user has to authenticate, before another passcode needs to be generated.

>Event-based: Determines the number of clicks the user has to authenticate, before another passcode needs to be generated.

PIN Policy
PIN Type

This setting determines the type of PIN to be used with the token:

>No PIN: The user does not need to use a PIN. The token generated password is sufficient for authentication.

>User-selected PIN: The user must enter the correct PIN into the MobilePASS+ app before an OTP is generated. To log in to a service, the user enters only the OTP at the password prompt. For example, if the user PIN is 8432 and the password is 12345678, the user enters 12345678 at the password prompt.

The user must change the PIN that is generated for the token during initialization before an OTP is generated. Thereafter, the user can change the PIN at any time. The new PIN must conform to the minimum requirements for PIN length and complexity.

>Server-side User Select: To log in to a service, the user must append or prepend the PIN to the OTP that is generated in the MobilePASS+ app, which allows the PIN to be evaluated by the virtual server. For example, if the user PIN is ABCD, and it must be prepended to the password 12345678, the user enters ABCD12345678 at the password prompt.

The user can change the PIN that is generated for the token. The new PIN must conform to the minimum requirements that are set in the server-side PIN policy.

PIN Length

Determines the PIN length that can be used with the MobilePASS+ token.

>If the PIN Type is set to No PIN, this option is disabled. The user will not be required to use a PIN at any time.

>If the PIN Type is set to Server-side User Select, this option is disabled. The user must use a PIN according to the options set in Policy > Token Policies > Service-side PIN Policy.

>If PIN Type is set to User selected PIN, this option is enabled. This requires that any PIN set for the token meets the indicated minimum number of digits. The range is 4 to 8 characters.

Allow Trivial PINs

If enabled, a PIN can be three or more consecutive numbers (for example, 1234), or three or more identical digits (for example, 2222). Default value: Not selected.

Max. PIN Attempt This option is available only if the PIN Type is set to User selected PIN. It determines the maximum number of consecutive failed PIN attempts permitted by the token. If this number is exceeded, the token is locked and cannot be used for authentication until it is reinitialized.
Min PIN Complexity

>If PIN Complexity is set to Decimal and Allow Trivial PINs is selected, the user can use a PIN with any consecutive or repeated characters, such as 1111, 1234, 6543, abcd, or aaaa.

>If PIN Complexity is set to Decimal and Allow Trivial PINs is disabled, the user can use either a Numeric or an alphanumeric PIN, as long as it does not consist of consecutive or repeated characters. For example, aaaa or 1234 are not permitted, while 9946, 123682, 321aaa, or i6gfaa are permitted.

>If PIN Complexity is set to Strong alphanumeric, the user must use an alphanumeric PIN that includes at least one uppercase and one lowercase character, and one number, such as 1Qazxs8 or ajUys36.

Allow Biometric PIN

If enabled, users can use a fingerprint sensor or facial recognition instead of typing a PIN to access their MobilePASS+ token. This option requires that the PIN Type is set to User-selected PIN.

The biometric PIN (Touch ID or Face ID for iOS devices, or Windows Hello for Windows devices) policy setting on STA is applied to tokens at the time of enrollment only. After a token is enrolled, policy changes on STA do not affect the availability of the biometric PIN feature on that token. Default value: Disabled.

4.Select Apply.

View an audit trail for self-provisioning

You can view an audit trail for all user-initiated token enrollments in the STA enrollment history report. You can view a list of the configuration changes in the STA audit logs.

Customer Support Portal