This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
MichielSimon
Beginner
Beginner
‎2017-01-12 06:11 AM

How does extending SecurID Token Lifetime work?

Jump to solution

Hi,

 

I recently noticed our service desk started using the new RSA  AM v8.2 "Extend SecurID Token Lifetime" feature. Unfortunately, it seems users are unable to logon with these extended tokens (one expired 31/12/2016 and was extended, but user can't logon).

 

I've checked the manual on this feature but I still don't understand what this about or when/how to use it. I can't test atm because I have no tokens expiring soon (and for other tokens it says "The token cannot be extended. It has more than 15 day(s) remaining before token expiration.")

 

The manual says:

[...]

For example, a token that will expire in 15 days can be extended so that it will not expire for another 30 years. An unassigned token that expires in 30 years provides a new expiration date to the distributed token that was expiring in 15 days, and the unassigned token is deleted. The original, distributed token on the user device receives an extended lifetime in Authentication Manager.

 

Does this mean the extended token just "claims" one of the free non-extended tokens and uses its 'presence' to continue authentication? Thanks for helping out!! Regards,

 

Michiel

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
BrianTwomey
Employee
Employee
In response to MichielSimon
‎2017-01-12 10:56 AM

Jump to solution

Maybe this will help explain things:

 

pastedImage_1.png

pastedImage_2.png

View solution in original post

Reply
12 Replies
JayGuillette
Valued Contributor Valued Contributor
Valued Contributor
‎2017-01-12 10:08 AM

Jump to solution

This is a new feature, and only works on Soft Tokens that were distributed under AM 8.2 or later.  So if you distributed these software tokens back in AM 8.1 SP1 P15 or less, then upgraded to AM 8.2, you would have to distribute that software token again in order to extend it.

Basically both the AM server and the token need to know how to extend the lifetime, and that 'knowledge' was not included in software tokens distributed pre-8.2

0 Likes
Reply
MichielSimon
Beginner
Beginner
‎2017-01-12 10:20 AM

Jump to solution

Hi Jay,

 

Thanks for the info - that bit is all clear, however, I don't understand how the extension works technically. I mean, if I could just extend expiring tokens with another 30 years, we would never have to buy another token again. The way the manual describes it, we would never have to replace another token as they can simply be extended.

 

In the portal, I still see the token as "expired on 31/12/2016" but on the user's device, the expiry is now showing as 2035. Will the AM portal still authenticate this token? If not, then what did the "Extend Expiry" do? Hope you see my point!!


Thanks;

Michiel

Reply
BrianTwomey
Employee
Employee
In response to MichielSimon
‎2017-01-12 10:56 AM

Jump to solution

Maybe this will help explain things:

 

pastedImage_1.png

pastedImage_2.png

View solution in original post

Reply
JayGuillette
Valued Contributor Valued Contributor
Valued Contributor
In response to BrianTwomey
‎2017-01-12 12:04 PM

Jump to solution

I knew there was a reason I sit across from Brian!

0 Likes
Reply
EdwardDavis
Employee
Employee
‎2017-01-12 01:57 PM

Jump to solution

To your question:

 

Does this mean the extended token just "claims" one of the free non-extended tokens and uses its 'presence' to continue authentication?

 

 

Yes on the RSA server, the expiring token 'claims' the expire date of the new token.

 

The end user experience is they install the token once, and never deal with installing

it ever again, and it never expires on their device.

 

All the user notices if you do not extend the token past is expire date, is logins start to fail, whereas before

version 8.2, the end user would have the software token app tell them the token is expired.

Reply
MichielSimon
Beginner
Beginner
‎2017-01-12 03:49 PM

Jump to solution

Thanks for your comments all - very useful information! Also about the tip regarding authentication "suddenly" failing will definitely come in handy as neither users nor helpdesk will understand why the token kept on going regardless of its (server-side) expiry date.

 

Cheers!

0 Likes
Reply
MichielSimon
Beginner
Beginner
‎2017-01-13 08:47 AM

Jump to solution

Just one last question - is it correct that the token that is used as "Extension token" (so the one with a future expiry date, which is 'borrowed' by the already-expired token) cannot be found anymore in either the "Assigned tokens" or the "Unassigned tokens" overview?

 

It shows up when I dig up the old/expired token and then check the "Extension token" field, but when doing a search, it's almost as if the token has disappeared - is this by design?! Tx!

0 Likes
Reply
BrianTwomey
Employee
Employee
In response to MichielSimon
‎2017-01-13 08:55 AM

Jump to solution

Yes, that is correct. The token that was used to extend the life of the existing token is removed from the system.

Reply
MichielSimon
Beginner
Beginner
In response to BrianTwomey
‎2017-01-13 09:01 AM

Jump to solution

Thanks - I indeed see the extension token does not even return when unassigning the initial token from the user. It's almost as if the 2 tokens were merged, leaving just a record of the old token (and the extended token actually inherits the deleted token's expiry date).


Cheers for the help!!

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.