What is the range of tokencodes accepted by RSA ACE/Server or RSA Authentication Manager?
Originally Published: 2003-11-03
Article Number
Applies To
RSA ACE/Server
Microsoft Windows
UNIX
Token synchronization
Issue
What are RSA SecurID token sync ranges?
What is the range of tokencodes accepted by RSA ACE/Server or RSA Authentication Manager?
What is the maximum resynchronization range?
Resolution
Standard Token:
Automatic acceptance range ? 1 interval (3 codes)
Acceptance with Next Tokencode ? 3 intervals (7 codes)
Maximum limit (after 3 failures and Next Tokencode) ? 10 intervals (21 codes)
PINpad Token:
Automatic acceptance range ? 2 interval (5 codes)
Acceptance with Next Tokencode ? 4 intervals (9 codes)
Maximum limit (after 3 failures and Next Tokencode) ? 10 intervals (21 codes)
Software Token:
Automatic acceptance range ? 10 interval (21 codes)
Acceptance with Next Tokencode ? 12 intervals (25 codes)
Maximum limit (after 3 failures* and Next Tokencode) ? 70 intervals (141 codes)
Administrative resync range (all tokens): ? 12 hours (1441 codes)
* 3 failures is a default setting in an SDCONF.REC, and this single value is configurable (see administration documentation for more details)
Automatic acceptance range: A token within this range will give a Tokencode accepted as a standard authentication from an end user.
Acceptance with Next Tokencode: A token outside of the above range but within this range has a larger window where the first Tokencode is within the window and the end user is prompted for Next Tokencode during authentication.
Maximum limit range: A much larger window where the user will fail the authentication attempt and will continue to fail for three times. After this, they may type in a Tokencode within this range followed by the Next Tokencode.
Admin resync: This is the range where the administrator can use the resynchronization option in the display about the token in the ACE/Server administration menu.
First Use of Token (newly assigned token and New PIN mode): The first authentication attempt (where the user goes through the New PIN dialog) will use the Maximum limit range, since a subsequent complete authentication is then required anyway.
NOTE: The details above show fixed values - these token ranges are not configurable.
Related Articles
Additional Apache Struts INFO level messages in WebLogic log files. Number of Views What is the aveksa_watchdog service in RSA Identity Governance & Lifecycle? Number of Views What are the custom attribute data type limits in RSA Identity Governance & Lifecycle Number of Views RSA Governance & Lifecycle Recipes: Report - Review Results - Review Summary Info Number of Views What is the Change Request Pending Submission State in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
