Prompt Authenticate Tokencode Users for PINs on Their First Authentication to the Cloud Authentication Service

By default, RSA Authentication Manager 8.6 does not prompt Authenticate Tokencode users for PINs on their first authentication to the Cloud Authentication Service.

Authenticate Tokencode users are prompted for PINs if you previously used the Security Console to connect RSA Authentication Manager to the Cloud Authentication Service before applying RSA Authentication Manager 8.5 Patch 3. You can clear the Enable Authenticate Tokencode PIN Prompts checkbox to prevent Authenticate Tokencode users from being prompted for PINs on their first authentication to the Cloud Authentication Service. During subsequent authentications, Authenticate Tokencode users are only prompted for a PIN if their PIN has expired, or if an administrator has cleared their PIN or requires users to create another PIN. This option does not affect other types of authentication.

Clearing this checkbox does not affect the Self-Service Console or the workflow for PIN with Approve, PIN with Device Biometrics, or other types of authentication. For example:

  • Users can create and change PINs in the Self-Service Console.
  • Administrators can clear PINs and require users to create new PINs.
  • During authentication, users who enter expired PINs for Approve, Device Biometrics, or RSA SecurID authentication are prompted to change their PINs
  • Existing PIN with Approve and PIN with Device Biometrics users can still authenticate.

Other RSA SecurID tokens that require PINs continue to work as before.

You can choose to restore the previous functionality. The following procedure prompts users to create or change PINs during Authenticate Tokencode authentication.

Procedure

  1. In the Security Console, click Setup > System Settings.

  2. Click Cloud Authentication Service Configuration.

  3. Select the Enable Authenticate Tokencode PIN Prompts checkbox.

  4. Click Save.