Where to get the "activation code" ?

[ipimpat]

Hi

Where would I get the activation code from ?

I more or less has the same problem as this guy in the comments: https://crypto.stackexchange.com/a/13189

All I have from my company is an email with a link to a download page for the MobilePass application and it shows a base64 string which decodes to this:

EnrollmentURL=https://se.safenet-inc.com/selfenrollment/dskpp.aspx?sc=<key>
UserID=<username>
Passphrase=<pin>

key matches this regexp: ^[a-zA-Z0-9]{10}$ pin matches this regexp: ^[0-9]{4}$

[blastbeng]

I have the same exact problem, have you solved it?

[ipimpat]

No, never solved it, in the meantime I left the company

[aleksandrs-ledovskis]

This bug isn't "solveable" without implementing a whole bunch of new workflows, as mentioned Base64/EnrollmentURL setup dance is done with Dynamic Symmetric Key Provisioning Protocol (DSKPP). It would be hard to reverse in usual work VPN situations as enrollment process string is one-time use only & it depends on some locally generated secrets which would need to be debugged/pinpointed in tandem with web invocations.

[yoshimo]

If you figure out how to disable root checks and pinning on this app I could dump the enrollment process for you

[blastbeng]

Four years have passed, and I see nobody solved this issue yet. In the meantime I left the company too 😄

[m4tthumphrey]

Also interested in this. It would appear that there are many MobilePass+ apps available now, macOS and other desk apps included. It definitely still uses HMAC-SHA256 OTP to generate the 8 digit code but I cannot figure out how or where the client gets the OTP secret from.