Add a Software Token Profile

Software token profiles specify software token configuration and distribution options. You must configure a software token profile for each platform to which you plan to distribute software tokens.

Before you begin

You must be a Super Admin.


  1. In the Security Console, click Authentication > Software Token Profiles > Add New.

  2. Enter the Profile Name. Try to include the device type or distribution method in the profile name. For example, “Android_CT_KIP.”

  3. Do one of the following:

    • To choose an existing device type, select one from the Device Type drop-down list.

    • To load a new device type, click Import New Device Definition File, browse to the device definition file, and click Submit.

  4. Complete the specific fields for the device type. You may have to configure these settings:

    1. In the Tokencode Duration field, select the required duration for the tokencode display.

    2. In the Tokencode Length field, select the required number of digits in the tokencode.

    3. Select the Authentication Type. The following authentication types are available:

      • PINPad-style. The user must enter a PIN in the software token application to generate the passcode. PINPad-style tokens only allow numeric PINs.

      • Fob-style. The user must enter the PIN, followed by the tokencode when logging on to the resource protected by SecurID. Fob-style tokens allow alphanumeric PINs.

      • Tokencode. The user enters a tokencode. No PIN is required.

    4. Select the Delivery Method. You can distribute the software token file in one of three ways:

      • Dynamic Seed Provisioning. Uses the Cryptographic Token-Key Initialization Protocol (CT-KIP). You can use this method only for CT-KIP-capable SecurID software tokens. A CT-KIP-capable SecurID software token is always a 128-bit token. There are two ways to provision software tokens with CT-KIP:

      • CT-KIP URL and activation code. The user can import the token using a CT-KIP URL and activation code. The token can be delivered through a link that incorporates the CT-KIP URL with the activation code.

      • QR Code. The user can import the token by scanning a QR Code in the Self-Service Console (using a QR Code-capable SecurID Token application). For sites that deploy the Self-Service Console, this method is recommended for higher security because the URL and activation code does need to be sent in e-mail, and the user must authenticate to the Self-Service Console before scanning the QR Code.

        Note: The QR Code option is available for devices that are QR Code-capable only. For those users who cannot scan a QR Code, the administrator can customize the Self-Service Console to allow users to request an email delivery of CT-KIP URL

      • Compressed Token Format (CTF) Provisioning. Authentication Manager generates a URL, which you deliver to the user’s device. This URL contains the encoded token information needed by the software application. Use this method only with CTF-capable SecurID software tokens. CTF provisioning is not available to 64-bit tokens.

      • File-based Provisioning. Authentication Manager generates a software token distribution file (.sdtid), which is added to a .zip file for download. This software token distribution file contains the shared secret (“seed”) used by the SecurID algorithm, and other metadata such as expiration date, serial number, and number of digits in the tokencode.

    5. In the Device Specific Attributes section, do one of the following:

      • If you want to bind all software tokens intended for this device type to the device class, leave the default value (classGUID) in the DeviceSerialNumber field.

      • If the users have the SecurID app, SecurID Software Token 2.1 or later for Android, or SecurID Software Token 2.2 or later for iOS, you can either clear the device ID or leave the default setting. RSA Authentication Manager uses dynamic seed provisioning to verify the device class and obtain device-specific IDs from the user devices. Each device-specific ID binds the software token to a specific device.

      • For other software tokens, if you do not want to bind all software tokens intended for this device type to the device class, you can clear the DeviceSerialNumber field or leave the default value. Then, when you distribute the token, you can replace the default value with a device-specific ID.

      Note: RSA recommends using a device-specific ID for a QR Code-enabled profile.

    6. Enter a nickname if you want all tokens that you deliver to have the same nickname (for example, your company name). You can set a nickname for a specific token when you distribute the token.

  5. Click Save.

After you finish

Deliver the token to the user using the selected method. For instructions, see one of the following:

Distribute Software Tokens Using File-Based Provisioning

Distribute One Software Token Using File-Based Provisioning

Distribute One Software Token Using Dynamic Seed Provisioning

Distribute One Software Token Using Dynamic Seed Provisioning

Distribute Software Tokens Using Compressed Token Format (CTF)

Distribute One Software Token Using Compressed Token Format (CTF)