RSA Hardware Authenticators
You can assign SecurID 700 hardware authenticators to Cloud Access Service (CAS) users and manage the OTP credentials in the Cloud Administration Console. These credentials provide two-factor authentication, where users enter a PIN (something the user knows) plus an OTP (something the user has). The OTP changes at regular intervals.
During authentication, CAS validates the OTP and PIN, similar to other cloud-based authentication methods. These credentials can be viewed and managed only from the Cloud Administration Console. You do not need to deploy an Authentication Manager server.
These credentials can be used for offline authentication if your company deploys the latest version of MFA Agent for Microsoft Windows or MFA Agent for macOS to users. For more information, see Using SecurID 700 Hardware Authenticators for Offline Authentication.
Each user can have up to five active SecurID 700 hardware OTP credentials that are managed in the Cloud Administration Console. Users can register and activate their credentials on My Page.
For instructions, see:
Deploy SecurID 700 Hardware Authenticators to Users
To deploy SID 700 hardware authenticators to your users, you can either transfer the ownership of the SID 700 hardware tokens from the Authentication Manager to CAS or obtain the record files from RSA.
Transfer SecurID 700 Hardware Authenticator Ownership to CAS
You can transfer ownership and administration of assigned and unassigned SecurID 700 hardware authenticators from Authentication Manager to CAS. For information about SecurID 700 hardware authenticators that are eligible for transfer and how to transfer them to CAS, see Authentication Manager Administrator's Guide V8.7 or above.
After the authenticators are transferred to the Cloud, CAS manages and owns the authenticators, and Authentication Manager consequently forwards the authentication events to CAS. These events can be monitored from the User Event Monitor for CAS. For instructions, see Monitor User Events in the Cloud Administration Console.
When SecurID 700 authenticators are transferred to the Cloud, all authentication agents, including RADIUS, will continue to authenticate applications protected by Authentication Manager. However, the cross-trust authentications for authenticators can fail in Authentication Manager. Authentication Manager provides high availability by allowing Authenticate Tokencode, Cloud-owned SecurID 700, and DS100 OTP authentication to continue when the connection between Authentication Manager and CAS is not available.
SecurID 700 records that are uploaded directly to the Cloud and assigned to users are synchronized to Authentication Manager using the synchronization job for CAS. This batch job runs after Authentication Manager is connected to CAS. After authenticators are synced, Cloud-owned authenticators are available for authentication with applications that are protected by Authentication Manager.
After you transfer the ownership of SecurID 700 hardware authenticators from the Authentication Manager to CAS, you can perform these steps:
Obtain SecurID 700 Hardware Authenticator from RSA
To obtain SID 700 hardware authenticators from RSA, perform these steps:
Request SecurID 700 hardware authenticators from RSA Sales or your partner. You will receive a packet containing the authenticators and encrypted authenticator record files.
If you plan to use SecurID 700 hardware authenticators that were previously ordered and shipped, make sure you have the decrypted authenticator record files.
Follow the instructions in the packet to decrypt the authenticator record files.
During decryption, an import password is generated for each file. Make sure you have these passwords when you upload the authenticator record files to CAS.
Note: Trial authenticators may not require a password.
Then, you can perform these steps:
Upload Decrypted Authenticator Record Files to CAS
In the Cloud Administration Console, click Users > Hardware Authenticators.
Click Upload SID700 OTP Seeds.
Click Choose File and browse to the file you want to upload.
If required, enter the import password that was created for the file during the decryption process.
Click Upload.
You can view the total number of the uploaded hardware authenticators and the total number of unassigned hardware authenticators on the Hardware Authenticators OTP Seed Management page.
Configure Authentication Settings for Your Deployment
Configure settings that affect how hardware authenticators are used in your deployment, including PIN requirements. See Configure OTP Credentials for instructions.
Configure Email Notifications for Your Deployment
To help increase security, you can configure CAS to automatically send a confirmation email to users after they register their SecurID 700 hardware authenticators. For instructions, see Configure Email Notifications
Distribute Authenticators to Users
To distribute SecurID 700 authenticator to users:
Send unassigned authenticators to users.
Instruct users to go to My Page to register their authenticator and test authentication.
If preferred, you can assign authenticators to each user before distribution. Upon receiving their authenticators, users must go to My Page to activate the preregistered authenticators and test authentication.
Delete Expired Hardware Authenticators
This task deletes all expired hardware authenticators from CAS. These authenticators cannot be used for authentication.
In the Cloud Administration Console, click Users > Hardware Authenticators.
From the Hardware Authenticator Actions drop down menu, click Delete SID700 Authenticators.
Under Delete All Expired Hardware Authenticators, click Delete.
This operation may take several minutes to complete, depending on how many expired authenticators are being deleted.
Manage Users' Hardware Authenticators
| See | Description |
|---|---|
| You can clear the PIN if the user has forgotten the PIN or the PIN is compromised. Before using the hardware authenticator, the user must go to My Page and set a new PIN. | |
| Enable or Disable a Hardware Authenticator | Registered authenticators are automatically enabled. You can unassign a disabled authenticator. |
| Unassign a Hardware Authenticator from a User | Unassigning the hardware authenticator prevents the user from using it to authenticate. |
| Delete a User's Hardware Authenticator | Delete a hardware authenticator file from CAS. |
| Unlock a user's SMS, Voice, Authenticate, and hardware OTPs. | |
| Rename a Hardware OTP Credential | Instruct users to go to My Page and click the old name. Enter the new name, then click the check box to confirm. Make sure the name is not blank, does not include the < > " / ; ` % characters, and does not exceed 50 characters. |
View Hardware Authenticator Information
| See | Description |
|---|---|
| Usage Information | View hardware authenticator usage statistics for your deployment on Cloud Administration Console Dashboard. |
| Run Reports | Use the Hardware OTP Credential Information report to see information for each hardware authenticator that is uploaded to CAS. |
To access Help for end users, see Hardware Authenticator.
Related Articles
Cloud Administration Delete Hardware Token API Number of Views Registering RSA SID 700 hardware tokens in Microsoft Entra ID Number of Views Configure Shipping Addresses for Hardware Authenticators Number of Views OATH HOTP Hardware Authenticators Number of Views Transfer SecurID 700 Hardware Token Ownership to Cloud Authentication Service Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
