This support page is for IGC hardware certificates stored in Hybrid PKI/OTP USB Token. If your certificate is stored in software (a browser) or in any other type of hardware, please return the main IGC support page and select your certificate storage type for appropriate support.

More common questions are answered in the FAQs below. For additional FAQs, click on the FAQ link.

IGC Hybrid PKI/OTP USB Token Certificate FAQs

Hybrid PKI/OTP Token FAQ (Users)

Two Devices in One
IdenTrust Hybrid PKI/OTP Tokens are for applications that require OTP authentication for mobile support or legacy authentication support, but require the assurance of an identity proofing process securely bound to a device through issuance of a certificate to the device. They allow the application developer to choose whether to authenticate users via OTP or via a PKI certificate. The certificates are also available for digital signing, secure email and other purposes regardless of authentication method.

If you are an application developer, please also review the additional FAQs posted below.

How Are Hybrid PKI/OTP Tokens Issued?
When applying for and purchasing IdenTrust Global Common (IGC) Basic Hardware 2 Year Certificates, the Hybrid PKI/OTP Token is available as a hardware option. As part of the certificate retrieval process, the OTP function of your device is activated for you in IdenTrust’s cloud-based OTP service. The OTP function is directly tied to the validity of your certificate. If your certificate is revoked or expires, the OTP function is turned off in IdenTrust’s servers. On certificate renewal, the OTP service is also renewed.

The following diagram illustrates the application process:


How Do I Use My Hybrid PKI/OTP Token?
Using your Hybrid PKI/OTP Token is simple, provided you remember it actually two different devices, each operating independent of the other. There are passwords associated with both functions, meaning you have two different passwords! These passwords may or may not be the same, depending on how you set them.

    The "PKI Side"
    The "PKI side" of the token contains your certificates and certificate private keys. To utilize the PKI side, the token must be plugged into the USB port of your system and you will be prompted to enter your token password to utilize your IGC certificates/keys for digital signing, secure email or other purposes. Your token password cannot be reset if you forget it. Don’t forget your token password!

    The "OTP Side"
    The "OTP side" of the token allows you to authenticate utilizing an OTP code generated by the device when you push the button. The token does not need to plugged into anything to provide an OTP code. The system or application you are using needs three data elements to successfully authenticate you against IdenTrust’s OTP service, your OTP username (usually your email address), your >OTP password (set when you retrieve your certificate), and the OTP code generated by your device. At a minimum, the application will prompt you for both your OTP password and the OTP code (two factor authentication).
How Do I Renew My Hybrid PKI/OTP Token?
Your Hybrid PKI/OTP Token may be renewed for one additional two year period without purchasing a new device. After a total of four years of use, you will be required to purchase a new device as part of the renewal process, as the embedded battery will be nearing its end of life and is not replaceable.

You will receive renewal notices via email for your IGC Certificate as it approaches expiration, beginning at 90 days, again at 60 days and again at 30 days. It is very important to renew before your certificate expires, as if expired you will need to go through the application process for a new certificate. When you renew your IGC certificate on your Hybrid PKI/OTP device, cost includes renewal of the associated OTP service.

What If I Lose My Device?
If your Hybrid PKI/OTP Token is lost, you have also lost control of your certificate. While the certificate is protected by your token password, you are required by policy and the agreement you accepted during application to notify IdenTrust and request either certificate revocation or a certificate replacement. The best way to handle this is by contacting IdenTrust Customer Support by email: Customer Support will help you purchase a replacement token and with replacement of your certificate. Certificate replacements are provided at no charge. You will need to register your new OTP device and/or your new certificate with your system/application administrator.

What If I Forget My Password(s)
Remember, there are two different password associated with your device. If you forget your token password (PKI side), there is no ability to reset it or recover it. Initializing the device will render the OTP function inoperable. Note, if you use only the OTP side of the device, you may continue use of the OTP function without knowing the token password, however, you will not be able to renew or replace your certificate.

Don’t forget your token password!
Warning Icon
Do not initialize your device!

Either will result in a probable need to purchase a new device.

If you forget the OTP password (OTP side), it can be reset by logging into IdenTrust’s Certificate Management Center using your registration account password created at time of application. If you have forgotten your registration account password, it can be reset by successfully answering password reset questions created at time of application.

Hybrid PKI/OTP Token FAQ (Application Developers)

How Does the IdenTrust OTP Authentication Process Work?
  1. Collects from the end user:
    • OTP code (generated by user on token);
    • OTP password (provided by user);
  2. Invokes the IdenTrust-provided API to establish an authenticated communications channel with the IdenTrust cloud OTP service (web services based);
  3. Passes in via the API the following information for authentication:
    • OTP username (provided by user when registering credential with application);
    • OTP code (generated by user on token);
    • OTP password (provided by user); and
  4. The IdenTrust cloud OTP service returns an authentication response. The OTP service returns a positive response only when both the correct OTP code and OTP password have been provided (two-factor authentication).
These steps are illustrated below.

How Do I Integrate OTP Authentication Into My Application?
IdenTrust provides a very simple API interface allowing your application to call IdenTrust’s cloud-based OTP authentication service. While the application may authenticate any current IdenTrust Hybrid PKI/OTP Token holder, your application will need to be configured within IdenTrust systems in order to communicate authentication requests. IdenTrust’s Client Delivery team provides this configuration service.

The API is simple enough that purchasing integration services from IdenTrust is generally not needed. The API Guide is provided only under NDA and is not available on this web site.

How Much Does IdenTrust’s OTP Authentication Service Cost?
IdenTrust does not charge companies wishing to enable their applications for IdenTrust Hybrid PKI/OTP authentication. Restated, the OTP authentication service is free to application developers (the cost of the service is included in the tokens). Configuration of your application in IdenTrust’s OTP service is also provided free of charge.

Does My Company Need to Purchase Tokens?
Once your application is enabled, you simply direct users needing credentials to IdenTrust’s online application page. IdenTrust takes care of all registration, identity proofing, credential issuance and binding of the user to the device and OTP function. There is no need for your company or your customers to purchase or handle tokens.

Can IdenTrust Streamline User Registration from My Application?
IdenTrust provides a simple POST methodology for passing user information into the online registration process, as well as a web services interface for companies wishing to employ more complex integration.

IdenTrust Makes OTP Easy
  1. Zero cost to application developers
  2. Simple to integrate
  3. Simple for users

How To’s

IGC certificates are used for a variety of different applications, such as login into a system, signing or encrypting emails, and digitally signing documents. Use the same certificate for all your needs as your unique digital identity.