This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
GeorgeNathaniel
Beginner
Beginner
‎2017-01-25 08:04 AM

Replacing expiring tokens via Self Sevice

Jump to solution

Hi All, 

 

We have a high number of tokens expiring soon and this is our first time using our new 8.1 self service portal for replacement.   One thing we are noticing in testing is that the users can definitely go on the site, hit replace and get a CTKIP activation email with the new token activation details... 

 

We are only deploying desktop PC and MAC tokens

 

After the user goes through the activation process, the token gets imported and the process completes. 

 

The issue is it appears that the old token is still retained as the current token and the new one shows as "Pending Replacement" 

Does anyone know if this is by design?  It would make sense that the new token will not become active until the current token actually expires in a few days. 

 

If this isn't the correct behavior... what else does the user need to do to activate the new token and begin using it?  

 

Thanks 

 

Version 8.1 r14

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2017-01-25 08:23 AM

Jump to solution

By design:

 

when you get a replacement token, user now has two tokens assigned, an O and an R

 

the original one (O) keeps working until

 

a) it expires

or

b) you actually use the replacement token (R) with the original token pin to log in

 

Default policy unassigns the (O) token only when (R) is first used (even if (O) still has life left)

and (O) goes to the unassigned pile, and is disabled.

 

Also by default, (R) inherits the (O) token pin. But you can change policy to 

require a new pin with the (R) token, or delete the (O) token from the

system when (R) is first used successfully.

View solution in original post

Reply
2 Replies
EdwardDavis
Employee
Employee
‎2017-01-25 08:23 AM

Jump to solution

By design:

 

when you get a replacement token, user now has two tokens assigned, an O and an R

 

the original one (O) keeps working until

 

a) it expires

or

b) you actually use the replacement token (R) with the original token pin to log in

 

Default policy unassigns the (O) token only when (R) is first used (even if (O) still has life left)

and (O) goes to the unassigned pile, and is disabled.

 

Also by default, (R) inherits the (O) token pin. But you can change policy to 

require a new pin with the (R) token, or delete the (O) token from the

system when (R) is first used successfully.

View solution in original post

Reply
GeorgeNathaniel
Beginner
Beginner
‎2017-01-25 08:37 AM

Jump to solution

Thanks for the response... it felt like it was by design.  We just went through the process of using the new Token to connect and sure enough it became the default and removed the expiring token, so we are good.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.