Assign a Temporary Fixed Tokencode for Online Emergency Access

You can give a user temporary emergency access to resources protected by RSA Authentication Manager by sending the user a temporary fixed tokencode. This tokencode can be used when a user's SecurID Token or SecurID Authenticate app is temporarily unavailable and the user has network connectivity to RSA Authentication Manager.

If the user normally authenticates with this method The user enters
SecurID Token SecurID PIN + Temporary fixed tokencode
SecurID Authenticate app

Only temporary fixed tokencode - no PIN.

Note: A PIN might be required to view the tokencode on the mobile device, but this is not the SecurID PIN.

Note: A temporary fixed tokencode cannot be used to access resources protected by the Cloud Authentication Service.

You can assign a temporary fixed tokencode on any primary or replica instance.


  1. In the Security Console, click Authentication > SecurID Tokens > Manage Existing.

  2. On the Assigned tab, use the search fields to find the lost or destroyed token.

  3. From the search results, click the lost or destroyed token, and from the context menu, select Emergency Access Tokencodes.

  4. On the Manage Emergency Access Tokencodes page, select Online Emergency Access.

  5. For Type of Emergency Access Tokencode(s), select Temporary Fixed Tokencode.

  6. Click Generate New Code. The tokencode displays next to the Generate New Code button.

  7. Record the emergency access tokencode so that you can communicate it to the user.

  8. For Emergency Access Tokencode Lifetime, select either No expiration or select Expire on and specify an expiration date.

    You may want to limit the length of time the one time tokencode can be used. Because the onetime tokencode is a fixed code, it is not as secure as the pseudorandom number generated by a token.

  9. For If Token Becomes Available, select one of the following options:

    • Deny authentication with token.

      Select this option if the token is permanently lost or stolen. This option prevents the token from being used for authentication if recovered. This safeguards the protected resources in the event the token is found by an unauthorized individual who attempts to authenticate.

    • Allow authentication with token at any time and disable online emergency tokencode.

      Select this option if the token is temporarily unavailable (for example, the user left the token at home). When the user recovers the token, he or she can immediately resume using the token for authentication. The online emergency access tokencode is disabled as soon as the recovered token is used.

    • Allow authentication with token only after the emergency code lifetime has expired and disable online emergency tokencode.

      You can choose this option for misplaced tokens. When the missing token is recovered, it cannot be used for authentication until the online emergency access tokencode expires.

  10. Click Save.