RSA Product Set: SecurID
RSA Product Version: AM 8.x
Authentication using hardware tokens in CyberArk fails, and the Authentication Activity Monitor logs the error: "Bad tokencode but good PIN." This occurs even when the passcode is valid.
However, testing authentication with the same token and credentials is successful through the Self-Service Console.
The failure occurs because the hardware token generates a passcode that combines a 4-digit PIN with a 6-digit tokencode, resulting in a 10-digit passcode. CyberArk does not accept passcodes of this length, leading to the "Bad tokencode but good PIN" error during authentication.
As a workaround, disable the PIN requirement for the affected hardware tokens as outlined in this article Allow a User to Authenticate Without an RSA SecurID PIN.
Alternatively, contact CyberArk Support for further assistance.
Related Articles
Cloud Administration Delete Hardware Token API Number of Views RSA Hardware Authenticators Number of Views Registering RSA SID 700 hardware tokens in Microsoft Entra ID Number of Views Assign a Hardware Token to a User in the User Dashboard Number of Views Assign Hardware Tokens to Multiple Users Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
