Add an Offline Authentication Policy

Document created by RSA Information Design and Development Employee on Jun 13, 2017Last modified by RSA Link Admin on Sep 18, 2020
Version 16Show Document
  • View in full screen mode

An offline authentication policy defines the way users authenticate when they are not connected to the network. The policies are assigned to security domains and apply to all users in that security domain.

In a replicated deployment, changes to policies might not be immediately visible on the replica instance. This delay is due to the cache refresh interval. Changes should replicate within 10 minutes. If you want to make changes take effect sooner on the replica instance, see Flush the Cache.

Note:  Any changes made to an offline policy cause all previously generated offline data to be discarded and regenerated.


  1. In the Security Console, click Authentication > Policies > Offline Authentication Policies > Add New.

  2. In the Offline Authentication Policy Name field, enter a unique name from 1 to 128 characters.

  3. (Optional) If you want this policy to allow offline authentication, select Enable Offline Authentication. This allows users to authenticate with their tokens when their computers are not connected to the network.

  4. (Optional) To allow Authentication Manager to automatically provide the user's Windows Login Password with a successful SecurID authentication, select Enable Windows password integration.

  5. (Optional) If you want this policy to be the default offline authentication policy, select Set as default offline authentication policy. The default policy is applied to all new security domains.

  6. From the Minimum Online Passcode Length drop-down menu, select the minimum length of the passcode (PIN + tokencode) a user must enter to download days of offline data.

  7. (Optional) PINPad tokens, software tokens, and tokens that do not require PINs are likely to contain less characters than required by the minimum offline passcode length setting. RSA recommends that you do not allow offline authentication with these types of tokens. You can however, use the Allow Offline Authentication Using field to override the minimum length setting for users that authenticate with any of these tokens.

  8. (Optional) Select the Allow offline emergency codes to be generated checkbox if you want RSA Authentication Manager to generate offline emergency codes for users.

  9. Select the type of offline emergency codes that you want to generate:

    • Offline emergency tokencodes. Generate these for users who have misplaced their tokens. Users must enter their PIN followed by the emergency tokencode to gain entry to their computers.

    • Offline emergency passcodes. Generate these only for users who have forgotten their PINs and need a full passcode. In such cases, make sure you properly identify the users before providing them with emergency passcodes. Because emergency passcodes enable authentication without a PIN, RSA recommends that you use emergency tokencodes instead.

  10. In the Lifetime field, enter the length of time, in days, for which emergency codes are valid. The default is thirty days.

  11. In the Maximum Days of Offline Data field, enter the amount, in days, of offline data that you want to allow users to download.

  12. In the Days of Offline Data Warning field, specify the number of remaining days of offline authentication data that triggers a warning to users. The default is seven days. Users who receive the warning must reconnect to the network and replenish their supply of offline logon days. If users run out of offline logon days, they must contact an administrator.

  13. In the Offline Authentication Failures field, enter the number of allowable failed offline authentication attempts before users must use an emergency code to gain entry to their computers.

  14. (Optional) Select the Offline Logging checkbox if you want authentication log entries uploaded to Authentication Manager when the user reconnects to the network.

  15. Click Save.




You are here
Table of Contents > Policies > Add an Offline Authentication Policy