000016225 - On-Demand Authentication (ODA) sequence examples

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016225
Applies ToAuthentication Manager 7
Authentication Manager 8
Authentication Manager Express
Issuecomplete an On-Demand authentication
ResolutionUsing Initial PINs and Temporary/expired PINs
An administrator can set the User's initial PIN-1, the user can also do this in the Self-Service console if allowed by the Self-Service policies.  Users must change their initial/temporary/expired PIN-1 during the first authentication attempt.
 RSA recommends that you inform your users of the following behavior to prevent confusion when users are required to:
- Enter a PIN at the passcode prompt
-  Enter the next tokencode when they have received only one tokencode
To change an initial/temporary/expired PIN-1:
1. The user attempts to access a protected resource, and the agent prompts the user to enter a User ID and passcode.
2. The user enters the initial/temporary/expired PIN-1.
3. The agent prompts the user to set a new PIN and to confirm the new PIN, the user chooses and enters PIN-2 in both fields.
4. The agent prompts the user to enter a passcode.
5. The user enters  PIN-2 (NOT a passcode) into the Passcode field.
      When a user who is enabled for on-demand tokencode service enters a PIN at the passcode prompt,
      Authentication Manager  recognizes that the user is actually making a request for an on-demand tokencode.
6. Authentication Manager  sends an on-demand tokencode to the user?s
    designated mobile phone number or e-mail address.
    Note: The delivery time for the tokencode depends on the speed of the mail
    server or SMS service.
7. The agent prompts the user for Next tokencode.
8. The user enters the tokencode received in step 6.
Legacy Article IDa63877