000029890 - Resyncing RSA SecurID tokens using RSA Authentication Manager 8.1 Self-Service Console

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jul 18, 2018
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000029890
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.1
IssueThis article provides information on how to resynchronize a SecurID hardware or software token from the Authentication Manager 8.1 Self-Service Console.

To resynchonize the token,

  1. Login to the Self-Service Console .
  2. For the token serial number you want to synchronize , click Troubleshoot.

User-added image

  1. On the Troubleshoot Your Token Page, choose Other or Not Sure and then click OK.

User-added image

  1. On the Confirmation Required page, click Yes to confirm that the token is not damaged and can still generate tokencodes.

User-added image

  1. On the Resynchronize Token page:

    1. Enter the tokencode currently showing on the token.
    2. Wait for the tokencode to change (typically 30 or 60 seconds) and enter the new tokencode.  Please be sure to enter successive tokencodes.
    3. Click OK.

User-added image

  1. Test authentication again
NotesToken synchronization checks the current UTC server time then reviews all possible tokencodes, plus or minus 12 hours from the current server time to find two sequential tokencodes that match what was entered.

With this process, the Authentication Manager server determines how fast or slow the clock in the token is as compared to the server clock, which is assumed to be connected to NTP and accurate.  If the server determines that the tokencodes provided during the synchronization process are correct but either for a time in the past or the future, the token offset table is updated with the offset value.    The next time the token is used for authentication the offset value is used to find the correct tokencode value for that minute to determine if authentication is successful.

A token synchronization will fail for one or more of the following reasons:

  1. The server time is fast or slow by more than 12 hours compared to the token time.  Be sure to also confirm that the server date and timezone are correct.
  2. The token time is fast or slow by more than 12 hours compared to the server time.  Mobile devices with RSA SecurID software tokens installed typically get very accurate time information from the service provider, while RSA SecurID Software Tokens installed on desktops and laptops get their time from the BIOS, which may be incorrect or drifting.
  3. The token that was synchronized is not the one assigned to the user.
  4. An Authentication Manager administrator distributed a software token serial number again to this user or another user without the original token being replaced on the device.  When a software token is redistributed, a new hash is used that invalidates the first distribution of the token.