This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
KeithGiles
Frequent Contributor
Frequent Contributor
‎2018-04-16 10:39 AM

SecurID Tokens: Can they resync on their own?

We recently had two users prompted to enter the "next tokencode" after they'd already logged in successfully. According to RSA support, this is typically because their tokens are out of sync. 

 

However, they were able to log in again after we cleared their incorrect login attempts. We did not do anything to resynchronize their tokens.

 

With that said, does this mean the tokens can sometimes get back into sync without intervention? 

 

Or was my problem perhaps something else? The users were highly confident they entered the correct token code each time. 

Labels (1)
Labels
0 Likes
Reply
8 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2018-04-16 10:55 AM

The answer is 'a little bit' or 'kind of'

If you restart AM services on the Primary, either after a reboot or in Linux   /opt/rsa/am/server/rsaserv restart all

the first time every token is used to logon after that, the AM server will accept any tokencode within a plus or minus 10 minute window.  The AM server can then note any difference in the time on the token from the time on the AM server (which is always assumed to be correct)

Re-synching a token does the same thing, but with a plus or minus 12 hour window 

Reply
TedBarbour
Employee
Employee
‎2018-04-16 11:04 AM

You can be entered into NTC mode because of incorrect attempts per token policy.

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2018-04-16 11:07 AM

To your original question, Next token Code, NTC can happen for two reasons, one of which is kind of what Support indicated to you, that this token is a little bit out of synch, the tokencode entered was within 2-3 minutes of the expected tokencode AFTER an initial authentication after restarting AM services.  In other words, first time token used to authenticate after services have been started is the plus or minus 10 minute window, which allows AM to get its bearing on this individual token, to learn this token's exact time offset difference, and every time authenticating after that initial auth the Window is tighter, plus or minus 1 minute.  Close as in plus or minus 2-3 minutes triggers NTC.  Any tokencode more than 3 minutes off from expected offset time is considered incorrect and look even looked up.

 

The 2nd way to trigger NTC is to fail authentication some minimum amount of times, which is set in the Token Policy, and defaults to 3 failures in a row without a success - over any amount of time that the AM services have been running.  You might consider a Token Policy change to 5 if this is a problem for your users, arguing that 5 is still tight enough to thwart hackers trying to steal OTPs (which in itself is an Everest-type task for the hacker).

SC-Auth-Policy-Token.png

 

You also can clear all NTPs from all Tokens with the /opt/rsa/am/utils/rsautil sync-tokens utility in Linux

Reply
KeithGiles
Frequent Contributor
Frequent Contributor
‎2018-04-16 11:30 AM

Thanks for the replies. If I understand, then restarting the AM service will essentially resync the tokens? It's been a few months since it was restarted (the latest patch). 

 

I do see that our policy requires next tokencode after 3 incorrect passcodes. Does this mean three consecutive incorrect entries? Or is this just three random incorrect entries? 

 

The users were extremely confident they entered the correct passcode, but perhaps they entered their computer password incorrectly. 

0 Likes
Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2018-04-16 11:35 AM

Keith Giles‌,

 

000029685 - Navigating Next Tokencode Mode in RSA Authentication Manager 8.1 and above gives a good explanation of the Next Tokencode process and the window of valid tokencodes when authenticating.

 

Regards,

Erica

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to KeithGiles
‎2018-04-16 11:35 AM

Yeah, I'd restart services, maybe implement a plan to restart or reboot once per quarter or something, and change Token Policy to 5 and then the problem should really drop off your radar.

The 3 strike (or 5 strike change) bad TokenCode in the Token Policy is in a row, meaning it goes back to 0 strikes when you successfully authenticate with that Token.

You could also run an authentication report on the user, and look for 3 failures in a row. If you cannot find that, then it is most likely due to time being slightly off.  

Reply
KeithGiles
Frequent Contributor
Frequent Contributor
In response to _EricaChalfin
‎2018-04-16 11:37 AM

WPVABf2A7AHE7HYzA8lNwkryi3vLGLSU‌, thanks! I will definitely read over that. 

0 Likes
Reply
KeithGiles
Frequent Contributor
Frequent Contributor
In response to JayGuillette
‎2018-04-16 11:40 AM

Thanks so much Jay, I will check that!

 

To confirm, when it says incorrect passcodes, it is referring to the AD password + the tokencode, so it could be an incorrect password too? 

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.