Distribute One Software Token Using Dynamic Seed Provisioning

Dynamic seed provisioning uses the CT-KIP protocol to generate token data without the need for a token file. There are two ways to provision software tokens with CT-KIP:

  • Using a URL link to the CT-KIP server and the CT-KIP activation code.

  • Using a QR Code that encapsulates the CT-KIP URL and activation code. This method is recommended for higher security because the URL and activation code does not need to be sent in e-mail, and the user must authenticate to the Self-Service Console before scanning the QR Code.

    Note: The Scan QR Code option is not supported in the SecurID app on iOS 6. However, the Self-Service Console can be customized to allow users to request email delivery of CT-KIP URL if they cannot scan a QR Code .

Authentication Manager generates custom CT-KIP URLs or QR Codes for mobile platform device types, such as Android and iPhone.

Before you begin

  • If you are distributing the token using a CT-KIP URL link and activation code, consider that RSA Authentication Manager does not encrypt e-mail. For a more secure delivery option, you can do the following:

    • Provide the information offline, such as by calling the user on the telephone.

    • Copy the information into an e-mail that you encrypt.

    • Use a Simple Mail Transfer Protocol (SMTP) e-mail encryption gateway.

    • Distribute the token using a QR Code because no e-mail is involved.

  • Instruct users to install the RSA Software Token application on their devices. For installation instructions, see the documentation for the software token application.

  • Add a Software Token Profile
  • Assign Tokens to Users

RSA recommends that you replace the default certificates in Authentication Manager with trusted certificates. Otherwise, end users are prompted to accept untrusted certificates before proceeding. Certain mobile device platforms only support an SSL certificate with a server that has a trusted certificate installed. To use dynamic seed provisioning with CT-KIP, you must have a trusted certificate on your Authentication Manager server or web tiers.


  1. In the Security Console, click Authentication > SecurID Tokens > Manage Existing.

  2. Use the search fields to find the software token that you want to distribute.

  3. From the search results, click the software token that you want to distribute.

  4. From the context menu, click Distribute.

  5. From the Select Token Profile drop-down list, select a software token profile with one of the following delivery methods:

    • Dynamic Seed Provisioning (using URL)

    • Dynamic Seed Provisioning (using QR Code)

  6. In the DeviceSerialNumber field, do one of the following:

    • To bind the token to the device class, leave the default setting.

      For example, if you select a software token profile for Android devices, the default setting restricts the software tokens to any Android device that is supported by the RSA Authenticator applications.

    • To bind the token to a specific user device, clear the field and enter the device ID you obtained from the user. RSA recommends using a device-specific ID for a QR Code-enabled profile.

      You can either clear the device ID or leave the default setting. RSA Authentication Manager uses dynamic seed provisioning to verify the device class and obtain a device-specific ID from the user device.

  7. Enter a nickname or leave the Nickname field blank.

  8. From the CT-KIP Activation Code drop-down list, select an activation code for the software token. For QR Code delivery, the activation code is system-generated and cannot be changed.

  9. Click Save and Distribute.

After you finish

For delivery using CT-KIP URL and activation code, RSA Authentication Manager displays the URL link of the CT-KIP server and the unique, one-time token activation code. Do the following:

  1. Copy the activation code and CT-KIP URL and safely deliver them to the user.

  2. Instruct the user on how to import the token.

For delivery using QR Code, provide the user with the following instructions:

  1. Install the SecurID Software Token application, version 2.0 or higher, on the mobile device.

  2. Log on to the Self-Service Console from a device other than the one on which the SecurID app is installed.

  3. In the My Authenticators section of the My Accounts page, click Activate Your Token.

  4. Follow instructions in the Activate Your Token window to activate the token.

Note: If you configured the activation code to expire, advise the user to import the token before the expiration time. If the activation code expires before it is used, you must redistribute the token, and provide the CT-KIP URL and the new activation code to the user. Or, in the case of QR Code delivery, ask the user to log in to the Self-Service Console and scan the QR Code again.

Related Concepts

Software Token Distribution