000023655 - Can RSA SecurID Authentication Engine return INVALID_PIN (in Java) or EMBADPIN (in C) for pinpad- or software token-based authentication?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023655
Applies ToRSA SecurID Authentication Engine 2.x for Java
RSA SecurID Authentication Engine 2.x for C
IssueCan RSA SecurID Authentication Engine return INVALID_PIN (in Java) or EMBADPIN (in C) for pinpad- or software token-based authentication?
When using a pinpad token (includes software tokens), entering a bad PIN when authenticating does not return a bad PIN status as with a hardware token
ResolutionThis behavior is functioning as designed. Unlike the prepended PIN of a hardware token passcode, a pinpad passcode has its PIN mathematically combined with the tokencode to produce a passcode.

When processing an invalid pinpad passcode, RSA SecurID Authentication Engine has no way to distinguish between an incorrect PIN and incorrect tokencode; it can only tell that extracting the tokencode with the expected PIN produced an invalid tokencode. This could happen due to an incorrect PIN or tokencode.

Because of the inherent difference in pinpad passcode format, RSA SecurID Authentication Engine will never return INVALID_PIN or EMBADPIN on an authentication attempt for a software or pinpad token.
Legacy Article IDa30889

Attachments

    Outcomes