High Availability OTP
If Cloud Access Service (CAS) cannot be reached because the connection is temporarily unavailable or too slow, RSA Authentication Manager can use downloaded High Availability OTP records to prompt users for Authenticate Tokencode.
When High Availability OTP is enabled, users who authenticate with methods supported by the RSA Authenticator app, such as Approve and Device Biometrics, are prompted for an Authenticate Tokencode or RSA SecurID passcode.
To use this feature, you must have one of the following connections:
A direct connection between AM 8.5 or later and CAS
A connection that uses the embedded identity router in AM.
You must enable High Availability OTPs in CAS. For instructions, see Configure High Availability OTP.
Note:
1. High Availability OTP is available only for applications that connect to AM. It is not available for applications that connect to CAS or IDRs (for example, My Page SSO Portal, Relying Party, IDR RADIUS, or IDR SSO Portal).
2. SecurID OTP authenticators assigned to users in CAS (for example, SecurID 700 or DS100) can be used even when High Availability OTP is not enabled in the Cloud Administration Console.
How High Availability OTP Works
When you configure High Availability OTPs, AM automatically downloads High Availability OTP records for each user who has registered an RSA Authenticator app with CAS.
Authentication Manager licensing
Enabling High Availability OTP does not affect license usage in AM. For more information about how AM uses High Availability OTP records, see Configure High Availability OTP.
Behavior When CAS Is Not Available
When CAS is not available, the following events occur:
Users who normally use Authenticate Tokencode, Approve, or Device Biometrics are prompted for an Authenticate OTP or RSA SecurID passcode.
The access policy in CAS is not applied.
The AM lockout policy determines how many failed logon attempts users can make before their accounts are locked and whether accounts can be unlocked automatically or by the administrator.
AM determines whether a user is enabled, disabled, or locked.
After the connection becomes available again, AM resumes authentication using CAS.
AM does not send updated authentication or user status information to CAS. CAS obtains user status information from the identity source.
Background Maintenance
Most High Availability OTP processing occurs automatically and does not require administrative tasks.
AM monitors CAS to determine whether it is reachable and whether High Availability OTP records are needed. AM records this information in log files.
A batch job called Authenticate Tokencode Sync Job automatically updates High Availability OTP records at the same time each day. RSA automatically assigns each customer deployment a synchronization time between 1:00 AM and 5:00 AM local time. Configuration is not required. The total number of processed records is recorded in the System Activity monitor and log files.
Related Articles
Configure High Availability OTP Number of Views Enable High Availability OTP in Cloud Access Service Number of Views RSA Authenticator 6.2 for Windows Quick Start Guide (Chinese) Number of Views Revocation List Timers - High Availability not working Number of Views Fully Resynchronize High Availability Tokencodes Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) How to factory reset an RSA Authentication Manager 8.x hardware appliance without a factory reset button from the Operatio… Deploying RSA Authenticator 6.2.2 for Windows Using DISM Artifacts to gather in RSA Identity Governance & Lifecycle
