000038057 - Invalid tokencode failures and expired QR code alerts in RSA SecurID Authenticate app

Document created by RSA Customer Support Employee on Nov 12, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038057
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: Cloud
RSA Version/Condition: Not Applicable

An end user is encountering one or both of the following problems with the RSA SecurID Authenticate app:

  • Step-up authentications using the RSA SecurID Authenticate app tokencode are failing and the User Event Monitor displays the following error for the attempts

Authenticate Tokencode authentication failed - Invalid tokencode 

The above error occurs even when the user is very sure they are entering the correct code displayed on their device.

  • RSA SecurID Authenticate app device registration using a QR code fails.  The app displays the following alert: 

Expired QR Code. Message: Generate a new QR Code. Then scan the new code in the app . 

The user is able to complete registration with a password or registration code however.

CauseThe date and/or time and/or geographical region setting in the end user's device is incorrect.
ResolutionBoth QR codes and tokencodes use time-based algorithms, so they both require the end user's device to be set accurately to the current date and time, according to the geographical region set in their device.  Time accuracy must be within a few minutes.

For example, if the end user's device region is currently set to India (GMT+5:30), then the date and time in the device must be set to the current date and time in India.   Clock drifts of a few minutes or more, or failure to adjust to daylight savings time changes, can cause the errors described in this article to occur.  If the date and time appears to be correct, check to make sure the geographical region configured in the device is correct too.

We recommend setting mobile device times using the Auto feature in the device, if available, so that device times are automatically set accurately by the mobile network.  Check with your mobile network provider to confirm if automatic clock setting is available.  For devices that do not use a mobile network, RSA recommends configuring a reliable NTP server to automatically synchronize your computer's time.
WorkaroundIf date and time cannot be automatically managed by network time synchronization, then manual date/time adjustments may be required occasionally to maintain clock accuracy in the device.
  • For additional troubleshooting tips, see Troubleshooting Cloud Authentication Service User Issues .
  • For instructions to set the date, time and geographical region, or to set the Auto option for time of day in your device, please refer to the vendor documentation of your device.