RSA Product Set: SecurID
RSA Product Version: AM 8.x
Authentication using hardware tokens in CyberArk fails, and the Authentication Activity Monitor logs the error: "Bad tokencode but good PIN." This occurs even when the passcode is valid.
However, testing authentication with the same token and credentials is successful through the Self-Service Console.
The failure occurs because the hardware token generates a passcode that combines a 4-digit PIN with a 6-digit tokencode, resulting in a 10-digit passcode. CyberArk does not accept passcodes of this length, leading to the "Bad tokencode but good PIN" error during authentication.
As a workaround, disable the PIN requirement for the affected hardware tokens as outlined in this article Allow a User to Authenticate Without an RSA SecurID PIN.
Alternatively, contact CyberArk Support for further assistance.
Related Articles
Cloud Administration Delete Hardware Token API Number of Views RSA Hardware Authenticators Number of Views Registering RSA SID 700 hardware tokens in Microsoft Entra ID Number of Views Select Hardware Tokens for Provisioning Number of Views Assign a Hardware Token to a User in the User Dashboard Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle RSA Authenticator 6.2.2 for Windows Administrator Guide RSA SecurID software token .sdtid file fails to import into RSA SecurID Software Token 5.0 for Windows RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
