RSA Product Set: SecurID
RSA Product Version: AM 8.x
Authentication using hardware tokens in CyberArk fails, and the Authentication Activity Monitor logs the error: "Bad tokencode but good PIN." This occurs even when the passcode is valid.
However, testing authentication with the same token and credentials is successful through the Self-Service Console.
The failure occurs because the hardware token generates a passcode that combines a 4-digit PIN with a 6-digit tokencode, resulting in a 10-digit passcode. CyberArk does not accept passcodes of this length, leading to the "Bad tokencode but good PIN" error during authentication.
As a workaround, disable the PIN requirement for the affected hardware tokens as outlined in this article Allow a User to Authenticate Without an RSA SecurID PIN.
Alternatively, contact CyberArk Support for further assistance.
Related Articles
Cloud Administration Delete Hardware Token API 61Number of Views Registering RSA SID 700 hardware tokens in Microsoft Entra ID 173Number of Views RSA Hardware Authenticators 637Number of Views Configure Shipping Addresses for Hardware Authenticators 10Number of Views Assign a Hardware Token to a User 88Number of Views
Trending Articles
RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) When running "acm startdb" or "service aveksa_server startdb" for RSA Via Lifecycle & Governance the error "PRCD-1027 : Fa… RSA Identity Governance & Lifecycle fails to start with "Unable to get avdb connection" message RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide