Enabled and Disabled Tokens

An enabled token can be used for authentication. A disabled token cannot be used.

After Authentication Manager is installed, tokens must be imported into the deployment. All imported tokens are automatically disabled. This security feature protects the deployment if the tokens are lost or stolen.

Tokens are automatically enabled when they are assigned by an administrator.

Tokencode-only software tokens that are provisioned through Self-Service are disabled by default. Users can enable these tokens through the Self-Service Console.

A disabled token does not lock a user’s account. Lockout applies to a user’s account, not to a user’s token. Disabling a token does not remove the user’s account from the deployment. You can view disabled tokens using the Security Console.

You can enable and disable tokens only in security domains that are included in your administrative scope.

You should disable an assigned token in the following situations:

  • Before a hardware token is mailed to a user. Re-enable the token after you know that it has been successfully delivered to the user to whom it has been assigned and the user is ready to use it.

  • If you know that a user does not need to authenticate for an extended period of time. For example, you may want to disable a token before a user takes a short-term leave or an extended vacation. After you disable the token, that user cannot authenticate with that token until it is re-enabled.