|Issue||Software / hardware tokens are reported to be going into next tokencode mode.|
|Tasks||Troubleshooting tasks: |
|Resolution||End users entering incorrect passcodes|
End users entering incorrect passcodes can invoke next tokencode mode. Updating the Token Policy setting 'Incorrect Passcodes' allows users to enter a limited or unlimited number of incorrect passcodes. When the limit is exceeded and followed by a correct passcode, users are prompted to enter the next tokencode that is displayed on their tokens.
The token seed record XML defines the token range of the tokens.
An example from a token seed XML file:
* the values are in seconds and cannot be manually changed in the token seed XML file.
Token synchronization range table:
Relationship between the token seed XML and the token synchronization range shown in the table above:
The DefSmallWin indicates the time interval when a user can successfully enter a tokencode without triggering next tokencode mode (+/- 1 interval ; 3 codes)
Both the DefMediumWin and DefLargeWin indicate longer time intervals when a user will be prompted for the next tokencode (NTC). Any tokencode entered outside of the DefLargeWin will fail an authentication. This has nothing to do with invalid passcodes being entered by the user.
Next tokencode and token resynchronization will update the token offset value stored in the token record to ensure the token record remains in the Automatic Range (DefSmallWin) for subsequent authentications. Where the time has a difference of +/- 12 hours then the token offset cannot be updated and authentications will fail.
RSA recommends the use of the Network Time Protocol (NTP) with Authentication Manager instances to ensure the time remains stable. This is because clock changes can impact the token offset, meaning end users are likely to be prompted for next token code during an authentication. If there has been a big clock change (placing the token outside of the maximum limit) then authentications can fail.