000024317 - What happens after my user authenticates with the replacement token? Can the original token still be used?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024317
Applies ToRSA ACE/Server 5.2 and later
IssueIssue replacement tokens without causing user downtime

The original token will work until the replacement token is used to authenticate. Authenticating with the replacement token unassigns the original (replaced) token and leave just one entry for the replacement token, now marked as the original.


Additional Details:

When a token is assigned as a Replacement token, the Original token and the Replacement token are both temporarily assigned to the user. If you examine the user's record, you will see both tokens assigned to the user, and after the serial number entry for each token, you will see a letter O or R, for Original or Replacement. If you examine the token record  Replacement token, it will have a line:

Replacing serial number: 

If you examine the token record for the Original token it will have a line:

Replacement serial number:

The other token's serial number will be shown as the replacement (you can temporarily consider them replacements of each other).

When a user authenticates with the Original token they authenticate normally, as long as the token is valid and enabled. Once a user authenticates with the Replacement token, the Original one will be "replaced" and unassigned from the user.  After this the actions vary depending upon the database settings. For example, if "Automatically delete replaced tokens from the database" is enabled, the token record will be deleted from the database.  If "Automatically delete replaced tokens from the database" is not enabled, the replaced token's main status fields will be reset ( it will be set to disabled, in new Pin Mode, and not lost).

Legacy Article IDa34963