SecurID Tokens

SecurID tokens offer SecurID two-factor authentication. An SecurID token is a hardware device or software-based security token that generates a 6-digit or 8-digit pseudorandom number, or tokencode, at regular intervals. When the tokencode is combined with a personal identification number (PIN), the result is called a passcode. Users enter passcode values, along with other security information, to verify their identity to resources protected by Authentication Manager.

Requiring these two factors, the tokencode and the PIN, is known as two-factor authentication:

  • Something you have (the token)

  • Something you know (the PIN)

If Authentication Manager validates the passcode, the user is granted access. Otherwise, the user is denied access. (To protect against the use of stolen passcodes, Authentication Manager checks that a passcode has not been used in any previous authentication attempt.)

There are two kinds of SecurID tokens, hardware tokens and software tokens:

  • Hardware tokens generate tokencodes using a built-in clock and the token’s factory-encoded random key. Hardware tokens come in several models.
  • Software tokens require an application that is specific to the intended device platform, such as a specific operating system on smart phones, computers, or tablets. Users obtains the software token symmetric key by scanning a QR code, importing an email attachment, or through some other approach. The software token applications generate tokencodes on the device and offer the same passcode functionality as hardware tokens.

An administrator can securely download a software token license XML file or receive a secure physical shipment with the required token license information for hardware or software tokens. Importing the token license XML file allows Authentication Manager to generate the correct tokencode when a SecurID authentication request is received from an authentication agent.

Authentication Manager logs the serial numbers of SecurID tokens used to authenticate. By default, Authentication Manager logs the serial number in the clear, but you can mask the serial numbers of tokens when logging to syslog or using SNMP if you want to avoid transmitting and recording the serial number in the clear. RSA recommends masking token serial numbers for added security.

You can assign up to three SecurID tokens to each authorized user on a protected system.

All tokens require similar administrative tasks. Following deployment, you can perform many token-related administrative tasks with the User Dashboard in the Security Console. For more information, see User Dashboard.

For deployments that have an Active Directory identity source, you can also manage hardware and software tokens with the RSA Token Management snap-in for the Microsoft Management Console (MMC). The RSA Token Management snap-in extends the context menus, property pages, control bars, and toolbars in the Active Directory Users and Computers snap-in. RSA Authenticator Tokencodes are not managed by the RSA Token Management snap-in.

By default, RSA provides hardware and software tokens that require a PIN and strongly recommends that you use PINs for all tokens. PINs provide the second factor in SecurID two-factor authentication. RSA Authentication Manager also supports authentication with tokens that do not require an SecurID PIN. The user can authenticate with the current tokencode only. In such a case, an alternative second factor, for example, a user’s network password, is used.

SecurID Hardware Tokens

The SecurID 700 Authenticator easily connects to any key ring. The user simply reads the changing display (typically every 60 seconds) and uses it as part of a dynamic and always-changing password.


You can use this token with Authentication Manager or the Cloud Authentication Service. This hardware token generates and displays a new tokencode at a predefined time interval, typically every 60 seconds.

When the Cloud Authentication Service is integrated with Authentication Manager, users with SecurID tokens can access SaaS and on-premises web applications and RADIUS clients protected by the Cloud Authentication Service. For more information, see Enable SecurID Token Users to Access Resources Protected by the Cloud Authentication Service.

To protect cloud-based resources when Authentication Manager is not deployed, you can assign SecurID700 hardware tokens to Cloud Authentication Service users and manage the tokens in the Cloud Administration Console. If you have a Cloud-only deployment and you want to enable hardware token, contact your RSA Sales representative or Channel Partner.

The following hardware tokens are no longer sold by RSA:

  • SecurID 800 Hybrid Authenticator

    The SecurID Authenticator SecurID 800 is both an SecurID authenticator and a USB smart card (USB token) with a built-in reader.

  • SecurID 520 Authenticator

    With this device, the user enters the PIN on a numeric keypad to display the passcode.

  • SecurID 200 Authenticator

SecurID Software Tokens

SecurID tokens are available in a software form-factor that you can install into an SecurID software token application on various devices.

The RSA Authentication Manager provides a centralized administration interface for issuing SecurID software tokens to the supported device types. You can add information to software tokens such as device type, device serial number, or token nickname using token extension fields.

For a complete list of SecurID software tokens versions supported by Authentication Manager 8.7 SP1, see the Product Version Life Cycle for SecurID Suite page on RSA Link.

For more information about the software token, see the documentation that accompanies individual SecurID software token products.