What is the range of tokencodes accepted by RSA ACE/Server or RSA Authentication Manager?
Originally Published: 2003-11-03
Article Number
Applies To
RSA ACE/Server
Microsoft Windows
UNIX
Token synchronization
Issue
What are RSA SecurID token sync ranges?
What is the range of tokencodes accepted by RSA ACE/Server or RSA Authentication Manager?
What is the maximum resynchronization range?
Resolution
Standard Token:
Automatic acceptance range ? 1 interval (3 codes)
Acceptance with Next Tokencode ? 3 intervals (7 codes)
Maximum limit (after 3 failures and Next Tokencode) ? 10 intervals (21 codes)
PINpad Token:
Automatic acceptance range ? 2 interval (5 codes)
Acceptance with Next Tokencode ? 4 intervals (9 codes)
Maximum limit (after 3 failures and Next Tokencode) ? 10 intervals (21 codes)
Software Token:
Automatic acceptance range ? 10 interval (21 codes)
Acceptance with Next Tokencode ? 12 intervals (25 codes)
Maximum limit (after 3 failures* and Next Tokencode) ? 70 intervals (141 codes)
Administrative resync range (all tokens): ? 12 hours (1441 codes)
* 3 failures is a default setting in an SDCONF.REC, and this single value is configurable (see administration documentation for more details)
Automatic acceptance range: A token within this range will give a Tokencode accepted as a standard authentication from an end user.
Acceptance with Next Tokencode: A token outside of the above range but within this range has a larger window where the first Tokencode is within the window and the end user is prompted for Next Tokencode during authentication.
Maximum limit range: A much larger window where the user will fail the authentication attempt and will continue to fail for three times. After this, they may type in a Tokencode within this range followed by the Next Tokencode.
Admin resync: This is the range where the administrator can use the resynchronization option in the display about the token in the ACE/Server administration menu.
First Use of Token (newly assigned token and New PIN mode): The first authentication attempt (where the user goes through the New PIN dialog) will use the Maximum limit range, since a subsequent complete authentication is then required anyway.
NOTE: The details above show fixed values - these token ranges are not configurable.
Related Articles
What are the custom attribute data type limits in RSA Identity Governance & Lifecycle Number of Views What is the aveksa_watchdog service in RSA Identity Governance & Lifecycle? Number of Views Generating report output being managed by all administrators in a security domain for RSA Authentication Manager 8.x Number of Views In RSA Identity Governance & Lifecycle, what is the difference between an account's Last Collected Date and Last Collected… Number of Views VMware Pivotal Tracker - RSASecurID Access Implementation Guide Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA-2026-07: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
