SecurID Hardware Authenticators

You can assign SecurID 700 hardware authenticators to Cloud Authentication Service users and manage the OTP credentials in the Cloud Administration Console. These credentials provide two-factor authentication, where users enter a PIN (something the user knows) plus an OTP (something the user has). The OTP changes at regular intervals.

During authentication, the Cloud Authentication Service validates the OTP and PIN, similar to other cloud-based authentication methods. These credentials can be viewed and managed only from the Cloud Administration Console. You do not need to deploy an Authentication Manager server.

These credentials can be used for offline authentication if your company deploys the latest version of MFA Agent for Microsoft Windows or MFA Agent for macOS to users. For more information, see Using SecurID 700 Hardware Authenticators for Offline Authentication.

Each user can have up to five active SecurID 700 hardware OTP credentials that are managed in the Cloud Administration Console. Users can register and activate their credentials on My Page.

For instructions, see:

Deploy SecurID 700 Hardware Authenticators to Users

Perform these steps:

Step 1: Obtain SecurID 700 Hardware Authenticator from SecurID

  1. Request SecurID 700 hardware authenticators from SecurID Sales or your partner. You will receive a packet containing the authenticators and encrypted authenticator record files.

    If you plan to use SecurID 700 hardware authenticators that were previously ordered and shipped, make sure you have the decrypted authenticator record files.

  2. Follow the instructions in the packet to decrypt the authenticator record files.

    During decryption, an import password is generated for each file. Make sure you have these passwords when you upload the authenticator record files to the Cloud Authentication Service.

    Note: Trial authenticators may not require a password.

Step 2: Upload Decrypted Authenticator Record Files to the Cloud Authentication Service

  1. In the Cloud Administration Console, click Users > Hardware Authenticators.

  2. Click Upload SID700 OTP Seeds.

  3. Click Choose File and browse to the file you want to upload.

  4. If required, enter the import password that was created for the file during the decryption process.

  5. Click Upload.

You can view the total number of the uploaded hardware authenticators and the total number of unassigned hardware authenticators in the Hardware Authenticators page.

Step 3: Configure Authentication Settings for Your Deployment

Configure settings that affect how hardware authenticators are used in your deployment, including PIN requirements. See Configure OTP Credentials for instructions.

Step 4: Configure Email Notifications for Your Deployment

To help increase security, you can configure the Cloud Authentication Service to automatically send a confirmation email to users after they register their SecurID 700 hardware authenticators. For instructions, see Configure Email Notifications

Step 5: Distribute Authenticators to Users

To distribute SecurID 700 authenticator to users:

  1. Send unassigned authenticators to users.

  2. Instruct users to go to My Page to register their authenticator and test authentication.

If preferred, you can assign authenticators to each user before distribution. Upon receiving their authenticators, users must go to My Page to activate the preregistered authenticators and test authentication.

Delete Expired Hardware Authenticators

This task deletes all expired hardware authenticators from the Cloud Authentication Service. These authenticators cannot be used for authentication.

  1. In the Cloud Administration Console, click Users > Hardware Authenticators.

  2. From the Hardware Authenticator Actions drop down menu, click Delete SID700s.

  3. Under Delete All Expired Hardware Authenticators, click Delete.

    This operation may take several minutes to complete, depending on how many expired authenticators are being deleted.

Manage Users' Hardware Authenticators

See Description

Clear a Hardware Authenticator PIN for a User

You can clear the PIN if the user has forgotten the PIN or the PIN is compromised. Before using the hardware authenticator, the user must go to My Page and set a new PIN.
Enable or Disable a Hardware Authenticator Registered authenticators are automatically enabled. You can unassign a disabled authenticator.
Unassign a Hardware Authenticator from a User Unassigning the hardware authenticator prevents the user from using it to authenticate.
Delete a User's Hardware Authenticator Delete a hardware authenticator file from the Cloud Authentication Service.

Unlock All OTP Credentials for a User

Unlock a user's SMS, Voice, Authenticate, and hardware OTPs.
Rename a Hardware OTP Credential Instruct users to go to My Page and click the old name. Enter the new name, then click the check box to confirm. Make sure the name is not blank, does not include the < > " / ; ` % characters, and does not exceed 50 characters.

View Hardware Authenticator Information

See Description
Usage Information

View hardware authenticator usage statistics for your deployment on the Cloud Administration Console dashboard.

Run Reports Use the Hardware OTP Credential Information report to see information for each hardware authenticator that is uploaded to the Cloud Authentication Service.

To access Help for end users, see SecurID Hardware Authenticator.