Occasionally, it is necessary to give a user temporary access to resources protected by RSA SecurID. For example, you can give temporary access to a user whose existing token has been lost or destroyed. Temporary access allows a user to access protected resources while waiting for a replacement token.
Emergency online authentication to RSA authentication agents is supported for RSA Authentication Manager users who lose or misplace the device that has the RSA SecurID Authenticate app. Authentication Manager does not support emergency online authentication for additional authentication on the Cloud Authentication Service.
This procedure provides a user with temporary emergency access using a temporary fixed tokencode.
A temporary fixed tokencode replaces the tokencode generated by the user's token. Similar to the regular tokencode, the temporary fixed tokencode is entered with the user's PIN to create a passcode. By using a PIN with the temporary fixed tokencode, the user can still achieve two-factor authentication. If the emergency access tokencode is issued for an RSA SecurID Authenticate app user, a PIN is not required. In this situation, the user only enters the emergency access tokencode.
In the Security Console, click Authentication > SecurID Tokens > Manage Existing.
On the Assigned tab, use the search fields to find the lost or destroyed token.
From the search results, click the lost or destroyed token, and from the context menu, select Emergency Access Tokencodes.
On the Manage Emergency Access Tokencodes page, select Online Emergency Access.
For Type of Emergency Access Tokencode(s), select Temporary Fixed Tokencode.
Click Generate New Code. The tokencode displays next to the Generate New Code button.
Record the emergency access tokencode so that you can communicate it to the user.
For Emergency Access Tokencode Lifetime, select either No expiration or select Expire on and specify an expiration date.
You may want to limit the length of time the one time tokencode can be used. Because the onetime tokencode is a fixed code, it is not as secure as the pseudorandom number generated by a token.
For If Token Becomes Available, select one of the following options:
Deny authentication with token.
Select this option if the token is permanently lost or stolen. This option prevents the token from being used for authentication if recovered. This safeguards the protected resources in the event the token is found by an unauthorized individual who attempts to authenticate.
Allow authentication with token at any time and disable online emergency tokencode.
Select this option if the token is temporarily unavailable (for example, the user left the token at home). When the user recovers the token, he or she can immediately resume using the token for authentication. The online emergency access tokencode is disabled as soon as the recovered token is used.
Allow authentication with token only after the emergency code lifetime has expired and disable online emergency tokencode.
You can choose this option for misplaced tokens. When the missing token is recovered, it cannot be used for authentication until the online emergency access tokencode expires.