This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
GregNobles
Beginner
Beginner
‎2016-08-26 02:21 PM

2 minute old (unused) token codes

We're able to login with 2 minute old (unused) token codes. How do we address this issue? Thanks.

Labels (1)
Labels
0 Likes
Reply
4 Replies
jeffshurtliff
Administrator Administrator
Administrator
‎2016-08-29 10:40 AM

Hi Greg,

 

I have moved this thread to the https://community.rsa.com/community/products/securid?sr=search&searchId=e62ea578-0d31-4846-8dca-0ab34615b114&searchIndex=0‌ page so that you can get an answer to your question.

 

Thanks,

Jeff

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-08-29 12:20 PM

Greg,

The AM server and the Token Application (SmartPhone or PC for SoftToken, FOB for Hardware Token) both calculate TokenCodes based on the time, with the AM server presumed to have the correct time.

SecurID is designed to learn about time drift, which is the difference in time on the token relative to the presumed correct time on the AM server.

By waiting about 2 minutes to press enter for a logon with your token, you are telling the AM server that your token's clock is 2 minutes slower than the server's clock.  The AM server will note this time difference or time offset of minus 2 minutes, and expect the same slowness on future logons.  

You cannot reuse any tokencode, and as soon as you successfully authenticate with any tokencode, all previous tokencodes become invalid.  What you are seeing is functions as designed, a way to handle imperfect time in an imperfect world.  But by doing what you did, you have handicapped the token, so that if you logon again next time with the correct token, the AM server will think your token is now two minutes fast (compared to what it was), and may prompt for a Next TokenCode.  The AM server will adjust your token time offset back assuming you do this.  You can read more about this in various KB articles on Token and time offset, as well as the rsautil synctokens command at the linux prompt

Reply
MHelmy
Moderator Moderator
Moderator
In response to JayGuillette
‎2016-08-29 12:25 PM

To add to what Jay said, if you are able to authenticate with a 2-minute old tokencode after using the newer token code (which should have invalidated the older tokencodes), then you most probably have replication issues between your primary and replica(s).

 

You can check the replication status from the Operations Console > Check Replication Status.

Reply
GregNobles
Beginner
Beginner
In response to JayGuillette
‎2016-08-29 12:45 PM

Jay, this seems to be the situation, as this is a new implementation. Should I suspect the token code expiration time to become shorter the more data the AM receives? Currently we have only a handful of users.  Additionally, I checked the 'replication status report' and it states 'Normal'. 

 

Jay, Mustafa, Thanks for the responses! 

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.