Assign a Set of One-Time Tokencodes

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jan 24, 2020
Version 13Show Document
  • View in full screen mode

You can provide temporary access for a user whose token has been permanently lost or destroyed by assigning a set of one-time tokencodes. A one-time tokencode replaces the tokencode generated by the user's missing token. Users must enter their PIN and a one-time tokencode to perform two-factor authentication. If the emergency access tokencode is issued for an RSA SecurID Authenticate app user, a PIN is not required. In this situation, the user only enters the emergency access tokencode.

Each one-time tokencode in a set can be used once. A set of tokencodes allows a user to authenticate multiple times without contacting an administrator each time.


  1. In the Security Console, click Authentication > SecurID Tokens > Manage Existing.

  2. Use the search fields to find the appropriate token.

  3. From the search results, click the token with which you want to work.

  4. From the context menu, click Emergency Access Tokencodes.

  5. On the Manage Emergency Access Tokencodes page, select the Online Emergency Access checkbox to enable authentication with an online emergency access tokencode.

  6. Select Set of One-Time Tokencodes.

  7. Enter the number of tokencodes that you want to generate.

  8. Click Generate Codes. The set of tokencodes displays below the Generate Codes button.

  9. Record the set of one-time tokencodes so you can communicate them to the user.

  10. Select one of the following options for the Emergency Access Tokencode Lifetime:

    • No expiration.

    • Set an expiration date for the tokencode.

  11. In the If Token Becomes Available field, configure how Authentication Manager handles lost or unavailable tokens that become available.

    • Deny authentication with the recovered token.

      If a token is permanently lost or stolen, deny authentication with the recovered token so that it cannot be used for authentication if recovered by an unauthorized individual. This is essential if the lost token does not require a PIN.

    • Allow authentication with the recovered token while simultaneously disabling the emergency access tokencode.

    • Allow authentication with the recovered token only after the emergency access tokencode has expired.

  12. Click Save.

Related Concepts

RSA SecurID Tokens



We want your feedback! Tell us what you think of this page.