Distribute One Software Token Using Dynamic Seed Provisioning
Dynamic seed provisioning uses the CT-KIP protocol to generate token data without the need for a token file. There are two ways to provision software tokens with CT-KIP:
Using a URL link to the CT-KIP server and the CT-KIP activation code.
Using a QR Code that encapsulates the CT-KIP URL and activation code. This method is recommended for higher security because the URL and activation code does not need to be sent in e-mail, and the user must authenticate to the Self-Service Console before scanning the QR Code.
AM generates custom CT-KIP URLs or QR Codes for mobile platform device types, such as Android and iPhone.
Before you begin
If you are distributing the token using a CT-KIP URL link and activation code, consider that AM does not encrypt e-mail. For a more secure delivery option, you can do the following:
Provide the information offline, such as by calling the user on the telephone.
Copy the information into an e-mail that you encrypt.
Use a Simple Mail Transfer Protocol (SMTP) e-mail encryption gateway.
Distribute the token using a QR Code because no e-mail is involved.
Instruct users to install the RSA Software Token application on their devices. For installation instructions, see the documentation for the software token application.
- Add a Software Token Profile
- Assign Tokens to Users
RSA recommends that you replace the default certificates in AM with trusted certificates. Otherwise, end users are prompted to accept untrusted certificates before proceeding. Certain mobile device platforms only support an SSL certificate with a server that has a trusted certificate installed. To use dynamic seed provisioning with CT-KIP, you must have a trusted certificate on your AM server or web tiers.
Procedure
In the Security Console, click Authentication > SecurID Tokens > Manage Existing.
Use the search fields to find the software token that you want to distribute.
From the search results, click the software token that you want to distribute.
From the context menu, click Distribute.
From the Select Token Profile drop-down list, select a software token profile with one of the following delivery methods:
Dynamic Seed Provisioning (using URL)
Dynamic Seed Provisioning (using QR Code)
In the DeviceSerialNumber field, do one of the following:
To bind the token to the device class, leave the default setting.
For example, if you select a software token profile for Android devices, the default setting restricts the software tokens to any Android device that is supported by the RSA Authenticator app
To bind the token to a specific user device, clear the field and enter the device ID you obtained from the user. RSA recommends using a device-specific ID for a QR Code-enabled profile.
You can either clear the device ID or leave the default setting. AM uses dynamic seed provisioning to verify the device class and obtain a device-specific ID from the user device.
Enter a nickname or leave the Nickname field blank.
From the CT-KIP Activation Code drop-down list, select an activation code for the software token. For QR Code delivery, the activation code is system-generated and cannot be changed.
Click Save and Distribute.
After you finish
For delivery using CT-KIP URL and activation code, RSA AM displays the URL link of the CT-KIP server and the unique, one-time token activation code. Do the following:
Copy the activation code and CT-KIP URL and safely deliver them to the user.
Instruct the user on how to import the token.
For delivery using QR Code, provide the user with the following instructions:
Install the RSA Authenticator application on the mobile device.
Log on to the Self-Service Console from a device other than the one on which the RSA Authenticator app is installed.
In the My Authenticators section of the My Accounts page, click Activate Your Token.
Follow instructions in the Activate Your Token window to activate the token.
Note: If you configured the activation code to expire, advise the user to import the token before the expiration time. If the activation code expires before it is used, you must redistribute the token, and provide the CT-KIP URL and the new activation code to the user. Or, in the case of QR Code delivery, ask the user to log in to the Self-Service Console and scan the QR Code again.
Related Concepts
Related Articles
Distribute One Software Token Using Dynamic Seed Provisioning Number of Views New Delivery Method for Token Seed Records Number of Views Assign and Distribute a Software Token to a User Using Dynamic Seed Provisioning in the User Dashboard Number of Views missing CD for token media from shipment because Token media is now delivered digitally from my.rsa.com Number of Views Token seed import fails with 'Import Token failure' error for RSA Authentication Manager Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
