A token policy determines RSA SecurID PIN lifetime and format, and fixed passcode lifetime and format. A policy is assigned to each security domain and applies to all tokens assigned to users managed within that security domain.
Token policies also determine how to handle users or unauthorized people who enter a series of incorrect passcodes.
In a replicated deployment, changes to policies might not be immediately visible on the replica instance. This delay is due to the cache refresh interval. Changes should replicate within 10 minutes. For instructions to make changes take effect sooner on the replica instance, see Flush the Cache.
In the Security Console, click Authentication > Policies > Token Policies > Add New.
In the SecurID Token Policy Name field, enter a unique name with 1 to 128 characters.
For Incorrect Passcodes, specify how the system responds when a user enters an incorrect passcode.
You can allow users to enter a limited or unlimited number of incorrect passcodes. When the limit is exceeded and followed by a correct passcode, users are prompted to enter the next tokencode that displays on their tokens.
This setting guards against an unauthorized person attempting to guess a passcode. Even if the person guesses a correct passcode, he or she is prompted for the next tokencode and given only one chance to enter it correctly. If the person enters the next tokencode incorrectly, the user account is locked.
For Default Policy, select Set as default SecurID token policy if you want to designate the new policy as the default policy for the deployment. This security policy is applied to all security domains in the deployment where SecurID Token Policy is set to Always Use Default. You can override the default policy for each security domain.
(Optional) For Periodic Expiration, select Require periodic SecurID PIN changes if you want to require users to change their SecurID PINs after a specified length of time. If you select this option, specify the following:
For Maximum Lifetime, specify how often SecurID PINs must be changed.
For Minimum Lifetime, specify how long users must wait between SecurID PIN changes. This prevents users from bypassing the Restrict Re-use specification by repeatedly changing their SecurID PINs.
(Optional) For Restrict Reuse, specify the number of recent SecurID PINs a user is restricted from reusing.
For PIN Creation Method, select the method by which SecurID PINs are generated. You can choose that SecurID PINs be system-generated or allow users to create their own PINs.
Note:RSA RADIUS does not allow system-generated PINs by default. If you allow system-generated PINs, authentications will fail unless you change the RADIUS configuration file, securid.ini, to allow system-generated PINs. For instructions, see Edit RADIUS Server Files.
For Minimum Length, specify the minimum number of characters that a SecurID PIN can contain.
For Maximum Length, specify the maximum number of characters that a SecurID PIN can contain.
(Optional) If you want certain words to be disallowed as PINs, select a dictionary from the Excluded Words Dictionary drop-down list.
For Character Requirements, specify whether the SecurID PIN must be numeric or alphanumeric and the minimum number of each character type required for a valid SecurID PIN. PINPad-style tokens only allow numeric PINs. Fob-style tokens allow alphanumeric PINs.
Under Fixed Passcode Lifetime, do one of the following:
Select Use same settings from SecurID PIN if you want the fixed passcode and SecurID PIN lifetime settings to be the same.
Select Define separate settings if you want to specify different lifetime settings for the fixed passcode, and specify the differences.
Under Fixed Passcode Format, do one of the following:
Select Use same settings from SecurID PIN if you want the fixed passcode and SecurID PIN format settings to be the same.
Select Define separate settings if you want to specify different format settings for the fixed passcode, and specify the length, dictionary, and character requirements.
Under Emergency Access Code Format, specify the types of characters that you want to include in emergency access codes.