ikreiliger (Customer) asked a question.
Is it possible to onboard the software token (mobile phone) completely offline without connection to RSA Infrastructur (AM)?
In our case, we are in a completely air-gapped environment and the mobile device does not reach the RSA infrastructure, but to scan a QR Code will work.
You would have to use a file-based SDTID software token, since both CT-KIP and CTF require a network connection to the RSA AM servers. Be sure to invoke both copy-protection and device binding for security.
CTF is just a form of SDTID file In a URL format so it does NOT require the phone to connect with the AM server. Ideally on Prem self-service with CTF QR code delivery via RSA Prime Self-Service would be ideal. This does require a subscription to Prime. For a manual approach, SDTID with the token converter to CTF or QR code could be used by an admin but only if device binding is used to protect the process. This entails the end-user sending the admin performing the token provisioning and email delivery their device binding ID via the RSA app (also works for Windows and MacOS). The admin can then safely assign a software token and distribute it as an SDTID file as long as the admins sets the token device serial number in the UI to the binding ID value provided by the end-users. After issuing the file and saving to their computer, the admin will need to unzip the file and email the SDTID file to th end-user. For QR or CTF a additional step of running the file through the token converter will be required. For a small number of users, this manual approach may be acceptable. For a few thousand or more, you should consider Prime to allow for secure on-prem only Self-Service.