Emergency Access for RSA Authentication Manager Users

You can provide online or offline emergency access to resources protected by RSA Authentication Manager in the following situations.

User Situation Requiring Emergency Access Available Methods
  • The user's RSA SecurID Token or RSA SecurID Authenticate app is unavailable.

  • The user's device can reach the Authentication Manager server over the network.

Temporary fixed tokencode

One-time tokencode

See Tokencodes for Online Emergency Access.

  • The user's RSA SecurID Token or Authenticate app is unavailable.

  • The user forgot his or her RSA SecurID PIN.

  • The user's Windows device cannot reach the Authentication Manager server through the network.

Offline emergency access tokencode

Offline emergency access passcode

See Tokencodes for Offline Emergency Access .

Note: These emergency access methods cannot be used to access resources protected by the Cloud Authentication Service.

Tokencodes for Online Emergency Access

There are two types of online emergency access tokencodes. Each tokencode is an 8-character alphanumeric code generated by Authentication Manager. The user's device must be able to reach Authentication Manager on the network.

Users must have been assigned a valid, unexpired RSA SecurID Token before they receive an online emergency access tokencode. If a user's token has expired, first assign a new token and then provide temporary access.

Tokencode Type Description
Temporary fixed tokencode
  • Can be used more than once.

  • When the user's RSA SecurID Token is unavailable, the user must enter this tokencode with the RSA SecurID PIN. When the Authenticate app is unavailable, the user enters only the temporary fixed tokencode. A PIN might be required to view the tokencode on the mobile device, but this is not the RSA SecurID PIN.

  • You configure the expiration date or no expiration.

  • Is displayed on the Self-Service Console.

For instructions, see Assign a Temporary Fixed Tokencode.

One-time tokencode
  • Issued in sets.

  • You can determine the number of tokencodes in a set.

  • RSA SecurID users must enter this tokencode with the RSA SecurID PIN to perform two-factor authentication. Authenticate app users enter this tokencode without a PIN. A PIN might be required to view the tokencode on the mobile device, but this is not the RSA SecurID PIN.

  • Is displayed on the Self-Service Console.

  • Users can download the set of one-time tokencodes in a file.

  • Each tokencode in the set can only be used once.

For instructions, see Assign a Set of One-Time Tokencodes.

Users can also use the Self-Service Console to request temporary access to Authentication Manager without the assistance of an administrator. For more information, see RSA Self-Service Overview.

Online Emergency Access Tokencode Format

When online emergency access is used because the user's RSA SecurID token is unavailable, the token policy of the associated security domain determines the format of the online emergency access tokencode. For example, if the security domain’s token policy allows special characters, the online emergency access tokencode can include special characters.

This token policy is not considered when the online emergency access method is used in place of the Authenticate app.

Tokencodes for Offline Emergency Access

Offline emergency access is intended for when the user cannot access the Authentication Manager server on the network. You must provide the emergency offline authentication codes in advance, when the user has online connectivity. The system generates and downloads an offline passcode or tokencode to the user's Windows device before the user needs it. These codes cannot be sent to a user who is offline.

Note: These methods cannot be used in place of the Authenticate app.

Tokencode Type Description
Offline emergency access tokencode
  • Used when the user's RSA SecurID token or RSA SecurID Authenticate app is unavailable.

  • RSA SecurID users must enter the offline emergency access tokencode with the RSA SecurID PIN to perform two-factor authentication.

  • Can be used for online or offline authentication.

    For instructions, see Provide an Offline Emergency Access Tokencode

Offline emergency passcode

Assign a Temporary Fixed Tokencode for Online Emergency Access

You can give a user temporary emergency access to resources protected by RSA Authentication Manager by sending the user a temporary fixed tokencode. This tokencode can be used when a user's RSA SecurID Token or RSA SecurID Authenticate app is temporarily unavailable and the user has network connectivity to RSA Authentication Manager.

If the user normally authenticates with this method The user enters
RSA SecurID Token RSA SecurID PIN + Temporary fixed tokencode
RSA SecurID Authenticate app

Only temporary fixed tokencode - no PIN.

Note: A PIN might be required to view the tokencode on the mobile device, but this is not the RSA SecurID PIN.

Note: A temporary fixed tokencode cannot be used to access resources protected by the Cloud Authentication Service.

You can assign a temporary fixed tokencode on any primary or replica instance.

Procedure

  1. In the Security Console, click Authentication > SecurID Tokens > Manage Existing.

  2. On the Assigned tab, use the search fields to find the lost or destroyed token.

  3. From the search results, click the lost or destroyed token, and from the context menu, select Emergency Access Tokencodes.

  4. On the Manage Emergency Access Tokencodes page, select Online Emergency Access.

  5. For Type of Emergency Access Tokencode(s), select Temporary Fixed Tokencode.

  6. Click Generate New Code. The tokencode displays next to the Generate New Code button.

  7. Record the emergency access tokencode so that you can communicate it to the user.

  8. For Emergency Access Tokencode Lifetime, select either No expiration or select Expire on and specify an expiration date.

    You may want to limit the length of time the one time tokencode can be used. Because the onetime tokencode is a fixed code, it is not as secure as the pseudorandom number generated by a token.

  9. For If Token Becomes Available, select one of the following options:

    • Deny authentication with token.

      Select this option if the token is permanently lost or stolen. This option prevents the token from being used for authentication if recovered. This safeguards the protected resources in the event the token is found by an unauthorized individual who attempts to authenticate.

    • Allow authentication with token at any time and disable online emergency tokencode.

      Select this option if the token is temporarily unavailable (for example, the user left the token at home). When the user recovers the token, he or she can immediately resume using the token for authentication. The online emergency access tokencode is disabled as soon as the recovered token is used.

    • Allow authentication with token only after the emergency code lifetime has expired and disable online emergency tokencode.

      You can choose this option for misplaced tokens. When the missing token is recovered, it cannot be used for authentication until the online emergency access tokencode expires.

  10. Click Save.

Assign a Set of One-Time Tokencodes for Online Emergency Access

You can provide online emergency access for a user whose RSA SecurID Token or RSA SecurID Authenticate app is temporarily unavailable by assigning a set of one-time tokencodes. Each one-time tokencode can be used once in place of the user's missing token. The set of tokencodes allows a user to authenticate multiple times without contacting an administrator each time.

RSA SecurID users must enter the one-time tokencode with the RSA SecurID PIN to perform two-factor authentication. Authenticate app users enter the one-time tokencode without a PIN. (A PIN might be required to view the tokencode on the mobile device, but this is not the RSA SecurID PIN.)

The user must be able to access the RSA Authentication Manager network when using a one-time tokencode.

You can assign a set of one-time tokencodes on any primary or replica instance.

Note: One-time tokencodes can only be used to access resources protected by Authentication Manager. They cannot be used to access resources protected by the Cloud Authentication Service.

Before you begin

Users must have already been an assigned a valid (not expired) RSA SecurID token before you send them sets of one-time tokencodes. This requirement also applies to users who will use a one-time tokencode in place of the Authenticate app.

Procedure

  1. In the Security Console, click Authentication > SecurID Tokens > Manage Existing.

  2. Use the search fields to find the appropriate token.

  3. From the search results, click the token with which you want to work.

  4. From the context menu, click Emergency Access Tokencodes.

  5. On the Manage Emergency Access Tokencodes page, select the Online Emergency Access checkbox to enable authentication with an online emergency access tokencode.

  6. Select Set of One-Time Tokencodes.

  7. Enter the number of tokencodes that you want to generate.

  8. Click Generate Codes. The set of tokencodes displays below the Generate Codes button.

  9. Record the set of one-time tokencodes so you can communicate them to the user.

  10. Select one of the following options for the Emergency Access Tokencode Lifetime:

    • No expiration.

    • Set an expiration date for the tokencode.

  11. In the If Token Becomes Available field, configure how Authentication Manager handles lost or unavailable tokens that become available.

    • Deny authentication with the recovered token.

      If a token is permanently lost or stolen, deny authentication with the recovered token so that it cannot be used for authentication if recovered by an unauthorized individual. This is essential if the lost token does not require a PIN.

    • Allow authentication with the recovered token while simultaneously disabling the emergency access tokencode.

    • Allow authentication with the recovered token only after the emergency access tokencode has expired.

  12. Click Save.

Emergency Offline Authentication

Offline authentication provides emergency access for RSA SecurID for Windows users who require emergency access while authenticating offline. These are users with lost or stolen tokens, or users who have forgotten their PIN. Temporary emergency access can be provided in two ways:

  • Offline emergency access tokencode. Use this option if the user’s token is unavailable. The Offline Emergency Access Tokencode is used with the user’s PIN.
  • Offline emergency passcode. Use this option if a user has forgotten his or her PIN. The offline emergency passcode is used in place of the user’s PIN and tokencode.

RSA SecurID for Windows users may need temporary emergency access so that they can authenticate while working offline. Temporary emergency access is necessary for users with misplaced, lost, or stolen tokens, or users who have forgotten their PIN.

For offline authentication, the system generates and downloads an offline passcode or tokencode before the user needs it. Providing emergency offline authentication codes must be done in advance. Authentication codes cannot be sent to a user who is offline.

If a user has an expired token, assign a new token, and then provide temporary access.

Note: Offline emergency access is not supported for users with RSA SecurID Authenticate Tokencodes because RSA Authentication Manager must be available to send the authentication request to the RSA SecurID Access identity router.

Provide an Offline Emergency Access

A user needs offline emergency access when the user's Windows device cannot contact the Authentication Manager server through the network and the user's RSA SecurID Token is unavailable, or the user forgot his or her PIN.

You can provide an offline emergency access tokencode to replace the token generated by the user's RSA SecurID Token or RSA SecurID Authenticate app. RSA SecurID users must enter the offline emergency access tokencode with a PIN to perform two-factor authentication. Authenticate app users enter the offline emergency access tokencode without a PIN.

You can configure the following:

  • Specify that a new offline emergency access tokencode is downloaded the next time the user authenticates online.

  • Allow the offline emergency access tokencode to be used for online and offline authentication.

You can provide an offline emergency access tokencode on any primary or replica instance.

Before you begin

  • The user’s security domain must allow offline authentication and permit the user to download offline emergency access tokencodes.

  • The user must have authenticated to an agent that supports offline authentication and the agent has downloaded days of offline authentication data.

Procedure

  1. In the Security Console, click Authentication > SecurID Tokens > Manage Existing.

  2. Use the search fields to find the token for the user who needs an offline emergency access tokencode.

  3. From the search results, click the token.

  4. From the context menu, click Emergency Access Tokencodes.

  5. On the Manage Emergency Access Tokencodes page, note the Offline Emergency Access Tokencode and its expiration date.

  6. Select Reset Offline Emergency Access Tokencode, if you want the user to download a new offline emergency access tokencode the next time he or she authenticates online. If selected, the new tokencode downloads automatically.

  7. Click Use offline code for online access, if you want the offline emergency access tokencode used for online authentication.

  8. Click Save.

Provide an Offline Emergency Passcode

You can provide users with an offline emergency passcode to use under the following conditions:

  • The user's RSA SecurID Token is unavailable, or the user forgot his or her PIN.

  • The user's Windows device cannot contact the Authentication Manager server through the network.

Offline emergency passcode cannot be used to access resources protected by the Cloud Authentication Service.

Before you begin

Confirm the following:

  • The user’s security domain allows offline authentication and permits the user to download offline emergency access tokencodes.

  • The user has authenticated to an agent that supports offline authentication and the agent has downloaded days of offline authentication data.

Procedure

  1. In the Security Console, click Identity > Users > Manage Existing.

  2. Use the search fields to find the user who needs an offline emergency passcode.

  3. From the search results, click the user.

  4. From the context menu, click Manage Emergency Offline Access.

  5. On the Manage Emergency Access Passcodes page, note the Offline Emergency Passcode and its expiration date.

  6. Select Reset Offline Emergency Access Passcode, if you want the user to download a new offline emergency passcode the next time he or she authenticates online. If selected, the new passcode downloads automatically.

  7. Click Update.

Configure the Maximum Lifetime for New Emergency Access Tokencodes

You can use the auth_manager.admin.eatokencode_expire_days global configuration value to set the maximum number of days that new Emergency Access Tokencodes can remain active. When a user or administrator activates a new Emergency Access Tokencode, they will not be allowed to set the expiration date later than the maximum lifetime you specify.

Procedure

Run the following command and then restart Authentication Manager services:

./rsautil store -a add_config auth_manager.admin.eatokencode_expire_days days_value GLOBAL 501

where days_value is the maximum number of days that new Emergency Access Tokencodes can remain active.

Edit Fixed Passcode Lifetime and Format

Fixed passcode lifetime and format requirements are controlled by token policies assigned to each security domain. To change the fixed passcode lifetime and format settings for a security domain, you must edit the assigned token policy.

Before you begin

Decide whether to use separate lifetime and format settings for SecurID PINs and fixed passcodes. You can change the SecurID PIN settings and apply them to fixed passcodes, or you can maintain separate settings for PINs and fixed passcodes.

Procedure

  1. In the Security Console, click Authentication > Policies > Token Policies > Manage Existing.

  2. Use the search fields to find the token policy that you want to edit.

  3. From the search results, click the token policy that you want to edit.

  4. From the context menu, click Edit.

  5. (Optional) In the SecurID PIN Lifetime section, do the following:

    • Select the Periodic Expiration checkbox if you want the SecurID PIN to expire after a specified length of time. This enables the Maximum and Minimum Lifetime fields.

    • In the Maximum Lifetime field, specify how often a PIN must be changed.

    • In the Minimum Lifetime field, specify how long users must wait between PIN changes.

    • In the Restrict Re-use field, specify the number of recent PINs a user is restricted from reusing.

  6. (Optional) In the SecurID PIN Format section, do the following:

    • Use the PIN Creation Method radio buttons to select the method by which SecurID PINs are generated. PINs can be system-generated or users can create their own fixed PINs.

    • Use the Minimum Length field to specify the minimum number of characters that a PIN can contain.

    • Use the Maximum Length field to specify the maximum number of characters that a PIN can contain.

    • If you want certain words to be disallowed as passwords, from the Excluded Words Dictionary drop-down list, select a dictionary.

    • In the Character Requirements fields, choose whether to require numeric PINs or allow alphanumeric PINs. If you chose to allow alphanumeric PINs, you must enter the minimum number of each character type required for a valid PIN.

    • In the Fixed Passcode Lifetime section, you can copy the settings from the SecurID PIN Lifetime section or you can define separate setting for fixed passcodes.

  7. To define separate fixed passcode lifetime settings, do the following:

    • Select the Periodic Expiration checkbox if you want the fixed passcode to expire after a specified length of time. This enables the Maximum and Minimum Lifetime fields.

    • In the Maximum Lifetime field, specify how often a fixed passcode must be changed.

    • In the Minimum Lifetime field, specify how long users must wait between fixed passcode changes.

    • In the Restrict Re-use field, specify the number of recent fixed passcodes a user is restricted from reusing.

    • In the Fixed Passcode Format section, you can copy the settings from the SecurID PIN Format section or you can define separate setting for fixed passcodes.

  8. To define separate fixed passcode format settings, do the following:

    • Use the Minimum Length field to specify the minimum number of characters that a fixed passcode can contain.

    • Use the Maximum Length field to specify the maximum number of characters that a fixed passcode can contain.

    • If you want certain words to be disallowed as passwords, from the Excluded Words Dictionary drop-down list, select a dictionary.

    • In the Character Requirements fields, choose the type of characters to allow. If you choose to allow alphanumeric fixed passcodes, you must enter the minimum number of each character type required for a valid fixed passcode.

  9. Click Save.

Edit Emergency Access Code Format Requirements

Emergency access code format requirements are controlled by token policies assigned to each security domain. To change the format settings for a security domain, you must edit the assigned token policy.

Procedure

  1. In the Security Console, click Authentication > Policies > Token Policies > Manage Existing.

  2. Use the search fields to find the token policy that you want to edit.

  3. From the search results, click the token policy that you want to edit.

  4. From the context menu, click Edit.

  5. In the Emergency Access Code Format section, select the types of characters that you want to require for emergency access codes.

  6. Click Save.