AshleyGilbert (Customer) asked a question.
Can someone help me locate detailed instructions for a user to set their token pin through the Security Console, not the PrimeKit.
Related Questions
Nothing found
Loading
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) Connection fails to Cloud Authentication Service when connecting through a proxy server from RSA Authentication Manager to… RSA Release Notes: Cloud Access Service and RSA Authenticators Update an existing RSA Cloud Authentication Service Integrated Windows Authentication (IWA) Connector Identity Provider SA… Quick Setup Guide - Connect Authentication Manager to Cloud Access Service with an Embedded Identity Router
Don't see what you're looking for?
@AshleyGilbert (Customer) ,
An end user would not set their PIN through the Security Console. The Security Console UI is for administrators to manage users and tokens. We recommend against admins setting up PINs for users because the PIN is the something you know part of two-factor authentication. Having more than one person know that PIN weakens its' security.
An RSA admin can clear a user's PIN from their token through the Security Console which puts the user into New PIN Mode, allowing them to set a new PIN.
An end user can establish a PIN by when attempting to authenticate through an agent for the first time or by creating a PIN via the Self-Service Console. The Self-Service Console enables users to perform some basic maintenance and troubleshooting tasks, like requesting replacement tokens and setting PINs.
When a user accesses an agent for the first time, let's say the MFA Agent 2.3.4 for Windows or perhaps a Cisco ISE, they enter the code they see on the hardware or software authenticator. The information is sent to the Authentication Manager server that turns around to the user and prompts them to create a PIN and navigates through the PIN creation and first time usage.
You could use the Self-Service Console. It's almost the same URL as the Security Console. If your Security Console is https://primaryhostname.company.com/sc, the Self-Service would be https://primarythostname.company.com/ssc. Users could log in with their assigned token, and set their PIN at first login.
The down side to this is that you are giving the end users the FQDN of the Primary, which is not always a good idea. The workaround for this is to stand up a web tier which acts as a proxy. The web tier could resolve to a separate virtual hostname (https://tokenportal.company.com), which would be all the end users would ever see. The web tier would then present the self-service console but without compromising the Primary hostname.
The web tier software is free, and there are versions for WIndows server and RHEL.
The user will be a Token Manager. They are located in another country so the AM they're on is designed to use a different PrimeKit than I use but we don't have their PK up and running yet.
I thought they might be prompted to create a pin when they first sign into the Security Console but they are having trouble. I'll look into the SSC option.
Thank you both.