Token Policy

A token policy defines users’ SecurID PIN lifetime and format, and fixed passcode lifetime and format, as well as how a deployment handles users or unauthorized people who enter a series of incorrect passcodes. A passcode is a SecurID PIN + a tokencode. The tokencode is the number displayed on the front of a SecurID token.

You assign token policies to security domains. The token policy applies to all users assigned to that security domain.

When a user authenticates with a token, the token policy being enforced belongs to the users’ security domain, rather than to the token’s security domain. For example, if a user assigned to the New York security domain authenticates with a token assigned to the Boston security domain, the token policy of the New York security domain dictates policy requirements.

Token policies assigned to upper-level security domains are not inherited by lower-level security domains. For example, if you assign a custom policy to the top-level security domain, all new security domains that you create below it in the hierarchy are still assigned the default token policy.

You need to balance security needs with consideration of what is reasonable to expect from users. Requiring a long PIN may be counterproductive and hard to remember, locking more users out of the network and generating calls to the Help Desk.

Add a Token Policy

A token policy determines SecurID PIN lifetime and format, and fixed passcode lifetime and format. A policy is assigned to each security domain and applies to all tokens assigned to users managed within that security domain.

Token policies also determine how to handle users or unauthorized people who enter a series of incorrect passcodes.

In a replicated deployment, changes to policies might not be immediately visible on the replica instance. This delay is due to the cache refresh interval. Changes should replicate within 10 minutes. For instructions to make changes take effect sooner on the replica instance, see Flush the Cache.

Procedure

  1. In the Security Console, click Authentication > Policies > Token Policies > Add New.

  2. In the SecurID Token Policy Name field, enter a unique name with 1 to 128 characters.

  3. For Incorrect Passcodes, specify how the system responds when a user enters an incorrect passcode.

    You can allow users to enter a limited or unlimited number of incorrect passcodes. When the limit is exceeded and followed by a correct passcode, users are prompted to enter the next tokencode that displays on their tokens.

    This setting guards against an unauthorized person attempting to guess a passcode. Even if the person guesses a correct passcode, he or she is prompted for the next tokencode and given only one chance to enter it correctly. If the person enters the next tokencode incorrectly, the user account is locked.

  4. For Default Policy, select Set as default SecurID token policy if you want to designate the new policy as the default policy for the deployment. This security policy is applied to all security domains in the deployment where SecurID Token Policy is set to Always Use Default. You can override the default policy for each security domain.

  5. (Optional) For Periodic Expiration, select Require periodic SecurID PIN changes if you want to require users to change their SecurID PINs after a specified length of time. If you select this option, specify the following:

    • For Maximum Lifetime, specify how often SecurID PINs must be changed.

    • For Minimum Lifetime, specify how long users must wait between SecurID PIN changes. This prevents users from bypassing the Restrict Re-use specification by repeatedly changing their SecurID PINs.

  6. (Optional) For Restrict Reuse, specify the number of recent SecurID PINs a user is restricted from reusing.

  7. For PIN Creation Method, select the method by which SecurID PINs are generated. You can choose that SecurID PINs be system-generated or allow users to create their own PINs.

    Note: RSA RADIUS does not allow system-generated PINs by default. If you allow system-generated PINs, authentications will fail unless you change the RADIUS configuration file, securid.ini, to allow system-generated PINs. For instructions, see Edit RADIUS Server Files.

  8. For Minimum Length, specify the minimum number of characters that a SecurID PIN can contain.

  9. For Maximum Length, specify the maximum number of characters that a SecurID PIN can contain.

  10. (Optional) If you want certain words to be disallowed as PINs, select a dictionary from the Excluded Words Dictionary drop-down list.

    For more information on the Excluded Words Dictionary, see Password Dictionary.

  11. For Character Requirements, specify whether the SecurID PIN must be numeric or alphanumeric and the minimum number of each character type required for a valid SecurID PIN. PINPad-style tokens only allow numeric PINs. Fob-style tokens allow alphanumeric PINs.

  12. Under Fixed Passcode Lifetime, do one of the following:

    • Select Use same settings from SecurID PIN if you want the fixed passcode and SecurID PIN lifetime settings to be the same.

    • Select Define separate settings if you want to specify different lifetime settings for the fixed passcode, and specify the differences.

  13. Under Fixed Passcode Format, do one of the following:

    • Select Use same settings from SecurID PIN if you want the fixed passcode and SecurID PIN format settings to be the same.

    • Select Define separate settings if you want to specify different format settings for the fixed passcode, and specify the length, dictionary, and character requirements.

  14. Under Emergency Access Code Format, specify the types of characters that you want to include in emergency access codes.

  15. Click Save.

Manage a Token Policy

You can edit information about the token policy, such as the name of the token policy, minimum and maximum lifetime information, and character requirements, move the token policy to a new security domain, or make other changes. You can also delete or duplicate a token policy.

Procedure

  1. In the Security Console, click Authentication > Policies > Token Policies > Manage Existing.

  2. Use the search fields to find the token policy that you want to manage.

    Task Description Procedure
    Edit a token policy

    When you edit a token policy, existing PINs and fixed passcodes are not validated against the excluded words dictionary and history requirements. They are, however, validated against all other policy requirements.

    1. Click the token policy that you want to edit, and click Edit.

    2. Make any necessary changes to the token policy.

    3. Click Save.

      If you have not saved your edits, you can click Reset to reset the policy as it was before you began editing.
    Delete a token policy

    When you delete a token policy, the policy is removed from the deployment and can no longer be assigned to security domains. Before you delete a token policy, make sure it is not assigned to a security domain. If you delete a token policy that is assigned to a security domain, that security domain will use the default token policy.

    You cannot delete the default token policy. If you want to delete the default token policy, you must first designate another token policy as the default

    1. Click the token policy that you want to delete.

    2. From the context menu, click Delete.

    3. Click OK.
    Duplicate a token policy If a token policy is assigned to more than one security domain and you want to change the policy for only one of the security domains, duplicate the existing policy and then re-assign it. For example, you can use this functionality to gradually phase in new security requirements, such as more frequent PIN changes.

    1. Click the token policy that you want to duplicate.

    2. From the context menu, click Duplicate.

    3. Click OK.

    4. You can make the necessary changes to the duplicate policy and assign the policy to the security domain you want to change.
    Change the default token policy

    When you install Authentication Manager, a default token policy is automatically created. You can edit this policy, or create a custom token policy and designate it as the default.

    Authentication Manager assigns the default policy to each new security domain. You can use the default token policy or assign a custom policy to each security domain. See Choose Policies for a Security Domain.

    Note: Changing a token policy may put every user in a deployment into new PIN mode.

    1. Click the policy that you want to set as the default.

    2. From the context menu, click Edit.

    3. Select the Default Policy checkbox to designate the new policy as the default policy for the deployment. This policy is then applied to all security domains that are configured to use the default policy.

    4. Click Save.