Troubleshooting Cloud Authentication Service User Issues

The following table contains information that help desk administrators can use to troubleshoot Cloud Authentication Service user issues.

SecurID App Installation

Issue Resolution

A user cannot open or install the SecurID app.

Confirm the following:

  • The user has internet connectivity.
  • The user has downloaded and installed the app from Google Play (Android) or Apple App Store (iOS).
  • The user can see the app icon in the application folder or home screen.
  • The device is running at least iOS version 11 or Android 7.

Authenticator Registration

Issue Resolution
  • A user cannot register an authenticator.
  • A user sees one of the following error messages:
    • Unable to Complete Setup. Contact your administrator.
    • Cannot register. Contact your administrator.

Investigate these areas:
  • If the user sees the "Unable To Complete Setup" message, confirm that the user is allowed to complete authenticator registration. If a policy prevents the user from completing registration, the User Event Monitor displays messages indicating this.
  • If the user sees the "Cannot register" message, confirm with your setup administrator that your company allows users to complete registration with the SecurID Authenticate app or FIDO authenticators.
  • Confirm that the user has internet connectivity.
  • Confirm connectivity between the Cloud Administration Console and the identity source. For instructions, see View Identity Router Status in the Cloud Administration Console.
  • Confirm that the user has an active account in the identity source and that the account password is not expired.
  • In the Cloud Administration Console, confirm that the user exists.
  • Confirm that the user is using the correct username or email address, password (identity source), and Company ID. The Company ID must match the value configured in the Cloud Administration Console under Company Settings. For more information, see Configure Company Information and Certificates.
  • In the Cloud Administration Console, check if the user already has a registered authenticator. If so, instruct the user to delete the authenticator in My Page, or you can delete the user's current authenticator as described in Manage Users for the Cloud Authentication Service .

  • Review the SecurID app logs for connectivity and device registration errors.

A user believes that registration is complete. However, SecurID instructs the user to install the SecurID app.

In the Cloud Administration Console , click Users > Management, navigate to the user's Authenticators page, and confirm that the authenticator is listed. If the authenticator does not appear, instruct the user to complete registration again.

A user is concerned about the SecurID for Android app requesting multiple permissions during registration.

The SecurID app requests the minimum number of permissions required for the application to function. For more information, see the privacy policy at https://www.rsa.com/en-us/company/privacy.

An iOS or Android user sees the following error message in the SecurID app: Untrusted Connection.

If your company uses Secure Sockets Layer (SSL) interception, users will see this message during registration.

Instruct users to complete registration using a Wi-Fi network that does not use SSL interception, such as a cellular data or a home Wi-Fi network. They can use corporate Wi-Fi after registration is complete.

If users see this message after registration is complete, consult your company's IT team to resolve the issue.

A user is prompted to complete registration, although the user has already completed registration.

The user might see this message if you have deleted the user's authenticator in the Cloud Administration Console . Instruct the user to complete registration again.

A user completes registration on one authenticator and then gets a new authenticator. The user needs to complete registration on the new authenticator.

Instruct the user to delete the old authenticator in My Page, and then complete registration on the new device. Or you can delete the user's current authenticator before the user completes registration on the new authenticator. For instructions, see Manage Users for the Cloud Authentication Service .

A user receives the following error message when registering a device: Unsuccessful SecurID Setup. You have another device registered with SecurID. Contact your administrator.

The user either already has a registered device or performed a factory reset on an existing registered device and tried to re-register. An Android 8.0 (Android O) user who re-installs the SecurID app on the same device also sees this message.

Instruct the user to delete the device in My Page. Or in the Cloud Administration Console , delete the user's current device. For instructions, see Manage Users for the Cloud Authentication Service .

Instruct the user to complete registration again.

Review the SecurID app logs for this event.

An Android user receives one of the following unsuccessful setup messages and cannot complete registration or add another account:

  • This device or the software running on it is not supported.

  • An error occurred.
  • If the user receives the "error occurred" message, instruct the user to try again.
  • If the user receives the "not supported" message, the user might have a rooted or non-compliant device. In these situations, the user cannot complete registration or add an account.

Applications

Issue Resolution

A user cannot sign into the application portal.

In the Cloud Administration Console , click Users > Event Monitor. The user event monitor shows the following reasons for unsuccessful application portal sign-in:

  • Authentication failed.
  • Credentials used to sign in are associated with multiple user accounts.
  • An internal server error occurred.
  • The concurrent session limit has been reached.
  • A password reset is required.

Also, check that the user is included in the scope of the identity source that was added to SecurID. Identity sources are configured in the Cloud Administration Console and enable users to access protected applications in the application portal.

A user expects to have access to an application but cannot see the application.
Sign into the Cloud Administration Console.
A user receives HTTP error 500 when trying to access an application that has been added to SecurID using either the HTTP Federation (HFED) Proxy or trusted headers methods. Confirm that the application web server has a valid SSL certificate that has been signed by a certificate authority (CA) that the identity routers trust. For more information, see Cloud Authentication Service Certificates.

Authentication Methods

Issue Resolution

Authentication is unsuccessful.

Investigate these areas:
  • Confirm that an internet connection is available.
  • Determine the authentication method that the user provided for authentication. Sign into the Cloud Administration Console, click Users > Event Monitor, and view the events associated with the user to see which authentication method or assurance level has been applied.
  • Device Biometrics and Approve authentication methods require push notifications. Determine whether the device is receiving notifications.

    If notifications are disabled, instruct the user to open the app and pull down on the home screen to retrieve notifications.

  • If the authentication method is SecurID Authenticate Tokencode, SMS Tokencode, Voice Tokencode, or password, determine if the method is locked for that user.

    If the method is locked, the authentication will not succeed. If applicable, the logical AND operator requires that both methods are successfully validated.

    For instructions on unlocking these methods, see Manage Users for the Cloud Authentication Service . For information on password lockout, see Configure Session and Authentication Method Settings.

  • If the method is Authenticate OTP, make sure the user's phone is configured to the correct local time.

  • If the authentication method is SecurID Token, access Authentication Manager and do the following:
    • Check if the user entered the SecurID PIN and tokencode incorrectly.
    • Check if the user's token is disabled.
    • Check if the user account is locked.
  • Review the SecurID app logs for connectivity and unsuccessful authentication errors.

A user sees the following error message in the browser when trying to authenticate: Cannot Contact Your Mobile Device.

When SecurID detects an unexpected error while trying to contact a user's mobile device, this error appears.

Instruct the user to try again in a few minutes, or to select a different authentication method. (If the application is assigned an assurance level that does not have optional methods, then authentication fails.)

A FIDO authenticator user sees the following error message in the browser when trying to register or authenticate: An Error Occurred. This message might appear if the Cloud Authentication Service detects the authenticator as counterfeit or compromised.

A user wants a simple way to copy the SecurID Authenticate Tokencode into a mobile browser.

The user can tap the tokencode to copy it.

A user taps Approve in the SecurID app but is not authenticated to the application.

  • A user has one minute to tap Approve after the Approve screen appears in the app. It is likely that the user tapped Approve near the end of that timeout interval.

  • Review the SecurID app logs for timeout events.

  • Confirm if the user's device has an internet connection.

A user cancels the Sending Sign-in Request screen in the browser, selects Approve, and then sees the tokencode screen in the in browser.

Instruct the user to do the following:

  1. Cancel the authentication screen in the SecurID app.

  2. Go to the home screen in the app.

  3. Enter the SecurID AuthenticateTokencode in the browser screen.

A user expresses concern about SecurID storing face prints in the Cloud Authentication Service.

The Cloud Authentication Service does not store fingerprints or faceprints.

A user cannot reset the PIN used to view the SecurID Authenticate Tokencode.
  • In certain situations, an iOS user must use device biometrics to reset the PIN. Instruct the user to set up biometrics, then tap View Tokencode on the home screen, and follow the instructions.
  • In certain situations, an iOS user must first delete all accounts that require additional authentication to view the SecurID Authenticate Tokencode, then complete registration again for those accounts. Instruct the user to do this. Then instruct the user to tap View Tokencode on the home screen, and follow the instructions.

A Windows user cannot create a Hello PIN when the app prompts the user to do so.

Windows Hello must be enabled to use Biometrics as a Windows authentication option. To confirm that Windows Hello is enabled, work with your IT group.

A Windows user is not receiving notifications for the Approve or Biometrics options.

If you want the user to receive notifications, ensure that the user's PC can contact the Windows Notification Service. For more information, see Cloud Authentication Service User System Requirements.

If notifications cannot be enabled, instruct the user to open the app and pull down on the home screen to retrieve notifications.

General

Issue Resolution

A user needs to back up and restore a mobile device.

On iOS devices, the SecurID app data is included in a system backup. On Android devices, the SecurID app is not included in a system backup.

If a user needs to restore a device from a system backup, instruct the user to complete the following steps to use the SecurID app on the restored device.

  1. Restore the device using the system backup.
  2. Do one of the following:
    1. If restoring to the same device, open the app and complete device registration.
    2. If restoring to a different device:
      • Delete the device in My Page. Or delete the user's device from the Cloud Administration Console.

      • (Android) Install the SecurID app from Google Play.

      • Open the app and complete registration.

    After a restore, software tokens should work without any manual intervention.

A user is not receiving push notifications.

Investigate these areas:

  • Confirm that the user's device has internet connectivity.
  • In the Cloud Administration Console, click Users > Management, navigate to the user's Authenticators page, and confirm that the device is listed and Active.
  • Confirm that the user has enabled the app to receive push notifications. On iOS, confirm that Alert Style is not set to None. If notifications are disabled, instruct the user to either enable notifications or open the app and pull down on the home screen to retrieve any push notifications.
  • Review the app logs for notification events.

An iOS user does not use Alert Notification Services (APNS) but needs to use the SecurID app.

An iOS user can disable both ANS and SecurID app push notifications. For mobile authentication methods, the user must pull down on the app home screen to retrieve push notifications.

An Android user does not want the SecurID app to use push notifications.

A user cannot disable Firebase Cloud Messaging (FCM) notifications, but the user can disable SecurID app notifications.

A user forgets the device that has SecurID app installed on it, and wants to access an application protected by SecurID.

If the application is assigned an assurance level that can be satisfied with a non-mobile authentication method such as SecurID Token or FIDO, and if the user possesses one of those tokens, then the user can complete authentication.

A user lost the device that has the SecurID app installed on it.

In the Cloud Administration Console , delete the user's device. Another user in possession of the lost device might be able to authenticate to a protected application if that user knows the device owner's LDAP directory password.

A user mistakenly uninstalled the SecurID app.

Instruct the user to install the app and complete registration again. Provide the user with the necessary information.

A user performed a factory reset on a device and the SecurID app was deleted.

Instruct the user to delete the device in My Page, or in the Cloud Administration Console , delete the user's device. Instruct the user to install the app and complete registration again.

An Android user is connected to the internet but continues to see the following error message: Check your internet connection.

This error appears when the user is signed into a secure Wi-Fi network but has not yet entered the password. Instruct the user to enter the network password and then continue.

Review the SecurID app logs for this event.

A user is prompted to accept the EULA or enter a User ID or Email Address and Company ID again after registration.

This can occur for the following reasons:
  • You deleted the device from the Cloud Administration Console . As a result, the user must register the device again.
  • On Android, the user cleared data for the app. As a result, the user must register the device again.
  • The user uninstalled and reinstalled the app. As a result, the user must accept the EULA again.
  • Review the SecurID app logs for this event.

More than one user wants to use the same device and same app.

SecurID supports only one device registered with the SecurID app per user. A user cannot sign out of the app so that another user can sign into the app.

On a Windows 10 desktop, multiple users can use the same machine as long as each user has a unique account and has completed registration with the SecurID app on that account.

A user experiences an issue with the app and needs troubleshooting help.

Review the app logs. Ask the user to send you the logs using these instructions.

  1. From the app More screen, tap or click Email Logs. If necessary, select the email app to use.
  2. In the new e-mail message, enter your email address, and click Send.

You can also use the Cloud Administration Console Event Monitor to troubleshoot user issues. Click Users > Event Monitor.

A user expresses concern about the app requesting permission to collect usage data using Google Analytics.

The SecurID app requests user permission to collect anonymous usage data to improve the app. A user allows or denys this request during the initial opening of the app. A user can also change this setting in the following locations:

  • iOS: SecurID app Settings screen
  • Android and Windows: SecurID app More screen

The user's selection for this setting does not impact the functionality of the app.

A user sees the "Device Not Compliant" message.

The SecurID app has detected the device as jailbroken or rooted. Instruct the user to restore the device.

If the user reports that the device is not jailbroken or rooted, instruct the user to email you the logs for the device using the link in the message. Then provide these logs to SecurID Customer Support.