Using an on-demand tokencode requested through an authentication agent or RADIUS client differs from the same process when using a tokencode requested through the Self-Service Console, or an RSA SecurID hardware or software token. In each case, the authentication agent prompts the user to enter a User ID and passcode. However, with an on-demand tokencode, the following process occurs:
The user accesses a protected resource, and the agent prompts the user for a User ID and passcode.
The user enters his or her User ID and, at the passcode prompt, an on-demand authentication (ODA) PIN, not passcode.
When a user who is enabled for the on-demand tokencode service enters an ODA PIN at the passcode prompt, Authentication Manager recognizes that the user is actually making a request for an on-demand tokencode.
Authentication Manager sends a tokencode to the user.
The authentication agent prompts the user to enter the next tokencode.
The user enters the received on-demand tokencode.
RSA recommends that you inform your users that they cannot simply follow the prompts. Some agents may support changing the prompts to make this less confusing, although this only works if you have an ODA-only user population.
Additionally, if a user cancels out of the next tokencode prompt or waits too long to enter the on-demand tokencode, the tokencode can still be used (with the PIN) to authenticate. For example, the user can attempt to authenticate again, and when the authentication agent or RADIUS client prompts the user for the passcode, the user may enter the PIN and on-demand tokencode as the passcode and successfully authenticate.