On-demand authentication (ODA) always requires a PIN to request a tokencode. You can set the initial PIN for the user. The following procedure is for a user who is not yet enabled for ODA.
In the Security Console, click Identity > Users > Manage Existing.
Use the search fields to find the user for whom you want to enable ODA and set an initial PIN.
Click the user.
Select SecurID Tokens.
Under On-Demand Authentication, select Enable User.
For Expiration Date, specify No expiration or the date when on-demand authentication expires.
For Send On-Demand Tokencodes to, specify the delivery method.
For Associated PIN, do one of the following:
Select Require user to setup the PIN through RSA Self-Service Console.
Select Set initial PIN to, and enter the initial PIN.
If you have set the initial PIN, securely communicate the initial PIN to the user.