2 minute old (unused) token codes
We're able to login with 2 minute old (unused) token codes. How do we address this issue? Thanks.
- Auth Agent
- Auth Manager
- auth mgr
- Authentication Agent
- Community Thread
- Forum Thread
- highwater mark
- RSA SecurID
- RSA SecurID Access
- time drift
- token offset
I have moved this thread to the https://community.rsa.com/community/products/securid?sr=search&searchId=e62ea578-0d31-4846-8dca-0ab34615b114&searchIndex=0 page so that you can get an answer to your question.
The AM server and the Token Application (SmartPhone or PC for SoftToken, FOB for Hardware Token) both calculate TokenCodes based on the time, with the AM server presumed to have the correct time.
SecurID is designed to learn about time drift, which is the difference in time on the token relative to the presumed correct time on the AM server.
By waiting about 2 minutes to press enter for a logon with your token, you are telling the AM server that your token's clock is 2 minutes slower than the server's clock. The AM server will note this time difference or time offset of minus 2 minutes, and expect the same slowness on future logons.
You cannot reuse any tokencode, and as soon as you successfully authenticate with any tokencode, all previous tokencodes become invalid. What you are seeing is functions as designed, a way to handle imperfect time in an imperfect world. But by doing what you did, you have handicapped the token, so that if you logon again next time with the correct token, the AM server will think your token is now two minutes fast (compared to what it was), and may prompt for a Next TokenCode. The AM server will adjust your token time offset back assuming you do this. You can read more about this in various KB articles on Token and time offset, as well as the rsautil synctokens command at the linux prompt
To add to what Jay said, if you are able to authenticate with a 2-minute old tokencode after using the newer token code (which should have invalidated the older tokencodes), then you most probably have replication issues between your primary and replica(s).
You can check the replication status from the Operations Console > Check Replication Status.
Jay, this seems to be the situation, as this is a new implementation. Should I suspect the token code expiration time to become shorter the more data the AM receives? Currently we have only a handful of users. Additionally, I checked the 'replication status report' and it states 'Normal'.
Jay, Mustafa, Thanks for the responses!