SecurID^® Discussions

Keep in mind that a human is not a userid, and in fact can have more than one userid.  A single userid rarely needs more than one token, but humans with more than one userid often need a token per userid. 

One infrequent case where a single userid needs more than one token is when the userid needs to authenticate to more than one agent within the same minute.  Ii have a customer whose network admins must respond to certain alerts by logging into six (or more!) network device GUIs as rapidly as possible, and one login per minute per token was a problem.   Passcodes can only be used once, so you have to wait for the tokencode to change before you can use the token again.  On software tokens you can use the "next tokencode" button to get it without waiting (then you *do* have to wait for the one after that if you need a third), but with hardware tokens you just have to wait for the display to change.  One way to deal with that is the 30-second token.  You can order hardware tokens that change every thirty seconds instead of every sixty.  Also, I believe that our current software token apps allow use of a software token profile (configured at the Primary before distributing the token) that changes the tokencode every 30 seconds as well.

Yes Sandip. If two hardware token are assigned to the same user, they will have two tokens in their possession. An enterprise may allow an end-user to keep the second token as a backup (or stored at an alternate location accessible only to the end-user). You're correct. In general, assigning multiple hardware tokens to the same user is a somewhat unusual configuration. Could you share why you were planning this?

The other time an end-user might have two tokens is if they have two "identities" or represent two "principals". Unlike your example, in this case there would be two "users" each with a single token (but the 'users' is actually the same physical person or "principal"). This would also imply the end-user had control of the two identity source accounts (i.e., there are two LDAP accounts, passwords, etc.). In general, this is avoided and customers use aliases to allow end-users to "use" alternate identities at an RSA/Agent. With aliases, AM can be configured to understand that when "Administrator" signs in on "Domain Controller-3", it is actually the system admin "Joe Admin" and the passcode will be validated using one of Joe's tokens.