000022091 - Do RSA SecurID Authentication Engine tokencode search windows vary?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022091
Applies ToRSA SecurID Authentication Engine 2.0
All platforms
IssueDo RSA SecurID Authentication Engine tokencode search windows vary?
The RSA SecurID Authentication Engine tokencode search window appears to vary between plus/minus one and ten codes
An old tokencode may return an authentication status of next-tokencode-mode or out-of-window (e.g. access denied)
ResolutionNOTE: This discussion assumes 1-minute non-pinpad hard tokens

The tokencode search window varies from one to ten codes. Normally the window used is the ?small window? of one, meaning the SAE checks against code -1, 0, and +1, where -1 is the previous code, and +1 is the next code in the future. Variance in window size comes primarily from SAE logic that increases the window if the last login occurred more than 30 days ago. 30 days ago increases the window by one, and then every 15 days increases the window by one up to a maximum of 10. This is done to take into account possible token clock drift over time. 

Additionally, RSA SecurID Authentication Engine logic increases the small window from 1 to 2 if current time is within the first 15 seconds of the current minute.

NOTE: RSA SecurID Authentication Engine uses a time offset in the token data to compensate for token clock drift. This offset is used and re-calculated when invoking functions RSASAResynchToken, RSASACheckTokencode, and RSASACheckPasscode.
Legacy Article IDa26862