What is the range of tokencodes accepted by RSA ACE/Server or RSA Authentication Manager?
Originally Published: 2003-11-03
Article Number
Applies To
RSA ACE/Server
Microsoft Windows
UNIX
Token synchronization
Issue
What are RSA SecurID token sync ranges?
What is the range of tokencodes accepted by RSA ACE/Server or RSA Authentication Manager?
What is the maximum resynchronization range?
Resolution
Standard Token:
Automatic acceptance range ? 1 interval (3 codes)
Acceptance with Next Tokencode ? 3 intervals (7 codes)
Maximum limit (after 3 failures and Next Tokencode) ? 10 intervals (21 codes)
PINpad Token:
Automatic acceptance range ? 2 interval (5 codes)
Acceptance with Next Tokencode ? 4 intervals (9 codes)
Maximum limit (after 3 failures and Next Tokencode) ? 10 intervals (21 codes)
Software Token:
Automatic acceptance range ? 10 interval (21 codes)
Acceptance with Next Tokencode ? 12 intervals (25 codes)
Maximum limit (after 3 failures* and Next Tokencode) ? 70 intervals (141 codes)
Administrative resync range (all tokens): ? 12 hours (1441 codes)
* 3 failures is a default setting in an SDCONF.REC, and this single value is configurable (see administration documentation for more details)
Automatic acceptance range: A token within this range will give a Tokencode accepted as a standard authentication from an end user.
Acceptance with Next Tokencode: A token outside of the above range but within this range has a larger window where the first Tokencode is within the window and the end user is prompted for Next Tokencode during authentication.
Maximum limit range: A much larger window where the user will fail the authentication attempt and will continue to fail for three times. After this, they may type in a Tokencode within this range followed by the Next Tokencode.
Admin resync: This is the range where the administrator can use the resynchronization option in the display about the token in the ACE/Server administration menu.
First Use of Token (newly assigned token and New PIN mode): The first authentication attempt (where the user goes through the New PIN dialog) will use the Maximum limit range, since a subsequent complete authentication is then required anyway.
NOTE: The details above show fixed values - these token ranges are not configurable.
Related Articles
What is the aveksa_watchdog service in RSA Identity Governance & Lifecycle? Number of Views What is the Return Merchandise Authorization (RMA) process for SID800 tokens? Number of Views What are the custom attribute data type limits in RSA Identity Governance & Lifecycle Number of Views What are steps to use Microsoft CA with a SID800? Number of Views What are the steps to use a SID800 token with SecurID ready applications? Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) Artifacts to gather in RSA Identity Governance & Lifecycle RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA Governance & Lifecycle 8.0.0 Installation Guide
Don't see what you're looking for?
