This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
DavidBeitler
Beginner
Beginner
‎2017-01-19 05:33 PM

Need help deploy software tokens

We have some users that want to use software tokens, and would prefer to use QR-Codes to distributed them.  We are not currently deploying the self service console, our existing users all use hardware tokens, and cannot seem to find a decent "howto" guide in any of the documentation on how the deployment procedure works.  Is there a simple document within RSA that details this.  For example.  If the user has to log into the self service console, to retrieve the QR-Code, how do they authenticate, assuming they are a new user?

Labels (1)
Labels
0 Likes
Reply
2 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2017-01-19 06:16 PM

basically without a Web Tier, a CTKIP URL shows the internal port 7004.  This is configured in your Software Token Profile.  Some devices, like a Windows PC, are not capable of converting this URL to a QR Code, so that option is not in the Software Token Profile.

SC-Auth-Token-Profile.png

When you distribute a soft Token as Dynamic Seed Provisioned (CT-KIP) you get a URL like the one above, plus an activation code, which you can email and/or phone call to the customer (email the URL and have them call for the code is probably safest.)  If you email both the code and the URL, someone could intercept it, but it can only be used once, so that is safety through fail-safe, if it does not import into the intended User’s device, you get them a new one which invalidates the first one.

 

With QR Codes, that is a subset of CTKIP which only works on specific smart phones.  The difference is user must logon to the Self Service Console to get their QR Code.  When you distribute a soft token with QR Code, it looks like this.

SC-Auth-Token-Profile_QR.png

You do not see a QR code or CTKIP URL, until user logs into Self Service Console, typically with a Password, and clicks the activate link.  Be sure to enable Password logon to Self Service console in the Security Console - Setup - SS Settings

SC-Setup-SSC-Auth.png

RSA_Password means Internal database user with assigned password, while LDAP_Password comes from an external LDAP Identity Source like Active Directory.  the / means OR, be careful with + it means AND which is two types of Authentication.

 

SSC_QR_activate.png

 

When your users logs into the Self Service Console, SSC, they can activate their Token by scanning the QR code.

Good luck

0 Likes
Reply
DavidBeitler
Beginner
Beginner
In response to JayGuillette
‎2017-01-19 06:36 PM

So, and this is primarily what I did not understand from the documentation.  Is that when the user logs into the self-service console for the first time, to scan the QR-Code, they need to be able to log in with their ID, and either an internal account or ldap account password. 

 

So with CTKIP, user gets URL and activation code.  User uses the RSA app on there phone, connects to the URL (on the self service/web tier server), and then enters the activation code.  And all is good.

 

With QR-Code, user gets URL, but must use other device (saw this in one of the docs), and log into the self service console, select "Activate...", and then scan the QR-Code with their phone, (activation code not needed ?) and all is good.

 

Sound right?

 

Secondly, is the activation code still needed by the user when using QR-Code?

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.