This article provides steps on how to have one RSA SecurID software token installed on multiple devices.
It is possible to have one token be used by multiple devices (and possibly multiple users that are using the same login ID), and some customers may choose to do this for financial reasons. However this has implications for operations (device clock issues), and can potentially create a serious security vulnerability. RSA Security recommends that each user and each device use their own software token. If it is still required to have users/devices share tokens in spite of the problems above, here are ways to make it work.
Authentication Manager 7.1
When the token is first issued and distributed, use a device type of Generic AES 128, and Issue the token as an .sdtid token file.
The token file generated must be carefully secured, as this can be imported into any type of software token device (may need additional post-processing).
If the file is no longer available, it can be redistributed to generate the same tokencodes, by making sure the checkbox for regenerate the tokencodes is NOT checked. Note that this option must be selected before the token is first issued.
If the checkbox to regenerate tokencodes is checked it is possible to wipe out all assigned tokens, causing authentication failures for all users and the requirement to reassign all tokens.
Authentication Manager 8.x
RSA Authentication Manager 8.x no longer includes the option to NOT regenerate the token when distributing, as this can create a security vulnerability. The only choices are to have the old .sdtid file stored and distributed very securely, or to create a new file and distribute to all devices.
RSA recommends that a unique software token is used for each user and each device.
CT-KIP will regenerate the seeds during the negotiation steps, which will make the token on the original device on which it was installed invalid.