Distribute Multiple Software Tokens Using Dynamic Seed Provisioning (CT-KIP)

Dynamic seed provisioning uses the CT-KIP protocol to generate token data without the need for a token file. There are two ways to provision software tokens with CT-KIP:

  • Using a URL link to the CT-KIP server and the CT-KIP activation code.

  • Using a QR Code that encapsulates the CT-KIP URL and activation code. This method is recommended for higher security because the URL and activation code does not need to be sent in e-mail, and the user must authenticate to the Self-Service Console before scanning the QR Code.

    Note: The Scan QR Code option is not supported in the RSA SecurID app on iOS 6. However, the Self-Service Console can be customized to allow users to request email delivery of CT-KIP URL if they cannot scan a QR Code.

Authentication Manager generates custom CT-KIP URLs or QR Codes for mobile platform device types, such as Android and iPhone.

Before you begin

  • If you are distributing the tokens using a CT-KIP URL link and activation codes, consider that RSA Authentication Manager does not encrypt e-mail. For a more secure delivery option, you can do the following:

    • Provide the information offline, such as by calling the users on the telephone.

    • Copy the information into e-mail that you encrypt.

    • Use a Simple Mail Transfer Protocol (SMTP) e-mail encryption gateway if the end-user device supports encrypted e-mail.

    • Distribute the tokens using QR Code because no e-mail is involved.

  • Instruct users to install the software token application on their devices. For installation instructions, see the documentation for the software token application.

  • Assign Tokens to Users

  • Add a Software Token Profile. Your Super Admin must add a software token profile.
  • RSA recommends that you replace the default certificates in Authentication Manager with trusted certificates. If you do not replace the default certificates, end users are prompted to accept untrusted certificates before proceeding. If you want to use dynamic seed provisioning with CT-KIP, you must have a trusted certificate on the Authentication Manager server or web-tiers.

Note: When you redistribute tokens using this method, any existing users of these tokens may no longer be able to authenticate. Users must import the new token data before they can authenticate.


  1. In the Security Console, click Authentication > SecurID Tokens > Distribute Software Tokens in Bulk > Generate Dynamic Seed Provisioning Credentials.

  2. In the Job Name field, enter a name for the job, or accept the default name. The job is saved with this name so that you can review the details of the job later. The name must be a unique name from 1 to 128 characters.

  3. From the Software Token Profile drop-down list, select a software token profile with dynamic seed provisioning as the delivery method.

  4. In the DeviceSerialNumber field, do one of the following:

    • To bind (restrict) the distributed software tokens to a device class, leave the default setting. For example, if you select a software token profile for Android devices, the default setting restricts the software tokens to any Android device that is supported by the SecurID app.

    • You can either clear the device ID or leave the default setting. RSA Authentication Manager uses dynamic seed provisioning to verify the device class and obtain device-specific IDs from the user devices. Each device-specific ID binds the software token to a specific device.

  5. Enter a nickname or leave the Nickname field blank.

  6. Click Next.

  7. Enter the software token selection criteria to find the tokens that you want to distribute. For example, enter the range of serial numbers for the tokens that you want to distribute.

  8. Click Next.

  9. Review the distribution summary and click Submit Job.

  10. Click the Completed tab to view completed jobs.

  11. Click the job with which you want to work.

  12. From the context menu, click Download Output File.

  13. Save the output file to your machine.

  14. Open the output file.

    Note: When you download the output file, some spreadsheet applications will remove the leading zeroes from the activation codes. To import activation codes successfully, open the file in an application that does not remove any characters, such as a text editor, to copy the activation code accurately.

After you finish

For delivery using the CT-KIP URL and activation code, do the following:

  1. In the output file, copy the activation codes and CT-KIP URL and safely deliver them to the users.

  2. Instruct users on how to import tokens.

For delivery using QR Code, provide users with the following instructions:

  1. Install the RSA SecurID Software Token application, version 2.0 or higher, on their mobile device.

  2. Log on to the Self-Service Console from a device other than the one on which the RSA SecurID app is installed.

  3. On the My Account page, click Activate your token under My Authenticators, and then follow instructions to activate the RSA SecurID software token.

Note: If you configured activation codes to expire, advise users to import tokens before the expiration time. If the activation codes expire before they are used, you must redistribute the tokens, and provide the CT-KIP URL and new activation codes to users. Or, in the case of QR code delivery, ask users to log in to the Self-Service Console and scan the QR Code again.