Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
JonSnow
New Contributor
New Contributor

Cant authenticate with pinpad style software token

Jump to solution

Hi

We use RSA SecurID hardware tokens with AM v8.1, but are planning to migrate across to software tokens and I am testing out the available options. The software tokens need to be installed on users Windows phones or iPhones, and they will then authenticate using a VPN client to get remote access to the network.

 

If I assign and distribute tokens in Tokencode style [no PIN required] or Fob style [enter PIN followed by tokencode] this works fine and I can authenticate using the VPN client.

But if I assign a token in Pinpad style [PIN integrated with tokencode] my authentications always fail.

 

In Pinpad style I open the SecurID application on my phone and I am prompted to enter a 4-8 digit PIN, but I can enter any PIN number and the tokencode is always displayed. Why is this?

 

If I enter this tokencode in the VPN client, the authentication monitor shows "authentication method failed". If I enter the PIN number followed by the tokencode in the VPN client the authentication monitor shows "authentication method failed, passcode format error".

 

Hopefully one of you good people can point out where I'm going wrong.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee

Pinpad style works like this: (assume 8 digit token)

On the software token app, it will ask for a PIN, and then display 8 digits no matter what.

 

If you have no pin set up yet, just enter no pin, or a pin of 0000, and you will get 8 digits.

 

So...you see 8 digits [with tiny text above it tokencode or passcode]

either an 8 digit TOKENCODE, which is the current code on the token and no pin involved

 

or an 8 digit PASSCODE, which is the 8 digits tokencode it would have displayed, but it

also mathematically added the PIN number, which results in a new 8 digit PASSCODE.

 

PINPAD tokens have pin restrictions that: it cannot have leading zeros and must be all numeric, it cannot be alphanumeric.

This is because it has to add the PIN to the 8 digit code, to reveal a new 8 digits. For the  math to work, there can be no leading zeros and numbers only.

 

-

When the RSA server gets the new login request from some agent, with a username and 8 digits, it knows what the code should be, and if you have a pin or not, and it subtracts the PIN and determines if the mathematical 8 digit remainder is the TOKENCODE.

 

So, that is how pinpad works. Always 8 digits.

If you have a pin, it lumps it into the 8 digits and it is hidden inside, and the RSA server just subtracts and figures out the rest.

 

 

On the software token app itself, it has no knowledge of your pin, or what it should be, so you can enter any pin you want that will result in showing you a PASSCODE. But if you enter the wrong pin (or enter a pin when you do not have one yet) the authentication will, of course, fail.

 

And of course the clock on the device that runs the software token app has to be perfectly accurate for the tokencode to be correct.

 

This is assumed to be fine, since you said keyfob style works ok.

 

--------------------------------------------------------------------------------

Now, having said that, it may get weirder with a VPN client and 'token automation'

 

so see if this is the case...

 

On some VPN clients, that run on the same device as an RSA software token, it may have the ability

to automatically detect the RSA tokencode and silently fetch it, and the user is just expected to

enter the PIN into the VPN client (the prompt should say PIN if this is happening) and the VPN client

does the math and sends the matching PASSCODE. Cisco VPN and others can do this. It is called 'software

token automation', and if you are using this, it makes using a different token or a handheld token on the

same VPN client problematic, as it might be fetching the code from the wrong token. So just note that

'token automation' would be something to look in the documentation that is specific to your VPN client

and see if it is set up or not. 

View solution in original post

2 Replies
EdwardDavis
Employee
Employee

Pinpad style works like this: (assume 8 digit token)

On the software token app, it will ask for a PIN, and then display 8 digits no matter what.

 

If you have no pin set up yet, just enter no pin, or a pin of 0000, and you will get 8 digits.

 

So...you see 8 digits [with tiny text above it tokencode or passcode]

either an 8 digit TOKENCODE, which is the current code on the token and no pin involved

 

or an 8 digit PASSCODE, which is the 8 digits tokencode it would have displayed, but it

also mathematically added the PIN number, which results in a new 8 digit PASSCODE.

 

PINPAD tokens have pin restrictions that: it cannot have leading zeros and must be all numeric, it cannot be alphanumeric.

This is because it has to add the PIN to the 8 digit code, to reveal a new 8 digits. For the  math to work, there can be no leading zeros and numbers only.

 

-

When the RSA server gets the new login request from some agent, with a username and 8 digits, it knows what the code should be, and if you have a pin or not, and it subtracts the PIN and determines if the mathematical 8 digit remainder is the TOKENCODE.

 

So, that is how pinpad works. Always 8 digits.

If you have a pin, it lumps it into the 8 digits and it is hidden inside, and the RSA server just subtracts and figures out the rest.

 

 

On the software token app itself, it has no knowledge of your pin, or what it should be, so you can enter any pin you want that will result in showing you a PASSCODE. But if you enter the wrong pin (or enter a pin when you do not have one yet) the authentication will, of course, fail.

 

And of course the clock on the device that runs the software token app has to be perfectly accurate for the tokencode to be correct.

 

This is assumed to be fine, since you said keyfob style works ok.

 

--------------------------------------------------------------------------------

Now, having said that, it may get weirder with a VPN client and 'token automation'

 

so see if this is the case...

 

On some VPN clients, that run on the same device as an RSA software token, it may have the ability

to automatically detect the RSA tokencode and silently fetch it, and the user is just expected to

enter the PIN into the VPN client (the prompt should say PIN if this is happening) and the VPN client

does the math and sends the matching PASSCODE. Cisco VPN and others can do this. It is called 'software

token automation', and if you are using this, it makes using a different token or a handheld token on the

same VPN client problematic, as it might be fetching the code from the wrong token. So just note that

'token automation' would be something to look in the documentation that is specific to your VPN client

and see if it is set up or not. 

JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor

There is an attached PowerPoint with screen shots of what Ed explained above about PINPad type tokens, at the bottom of another discussion on Soft Tokens

https://community.rsa.com/message/885517?commentID=885517#comment-885517