SecurID^® Discussions

EpcoDijk · ‎2017-09-21

hi,

i just saw a video that end users can request and activate a software token themselves without admin privileges.

I would like to implement this in our selfservice portal too.

Is there a step-by-step document available how to do that?

the video i meant is this one Video link 234273 (Provisioning RSA Software Tokens via QR Code)

JayGuillette · ‎2017-09-21

Without a Web Tier, a CTKIP URL shows the internal port 7004. This is configured in your Software Token Profile. Some devices, like a Windows PC, are not capable of converting this URL to a QR Code, so that option is not in the Software Token Profile.

When you distribute a soft Token as Dynamic Seed Provisioned (CT-KIP) you get a URL like the one above, plus an activation code, which you can email and/or phone call to the customer (email the URL and have them call for the code is probably safest.) If you email both the code and the URL, someone could intercept it, but it can only be used once, so that is safety through fail-safe, if it does not import into the intended User’s device, you get them a new one which invalidates the first one.

With QR Codes, that is a subset of CTKIP which only works on specific smart phones. The difference is user must logon to the Self Service Console to get their QR Code. When you distribute a soft token with QR Code, it looks like this.

You do not see a QR code or CTKIP URL, until user logs into Self Service Console, typically with a Password, and clicks the activate link.

View solution in original post

JayGuillette · ‎2017-09-21

Without a Web Tier, a CTKIP URL shows the internal port 7004. This is configured in your Software Token Profile. Some devices, like a Windows PC, are not capable of converting this URL to a QR Code, so that option is not in the Software Token Profile.

When you distribute a soft Token as Dynamic Seed Provisioned (CT-KIP) you get a URL like the one above, plus an activation code, which you can email and/or phone call to the customer (email the URL and have them call for the code is probably safest.) If you email both the code and the URL, someone could intercept it, but it can only be used once, so that is safety through fail-safe, if it does not import into the intended User’s device, you get them a new one which invalidates the first one.

With QR Codes, that is a subset of CTKIP which only works on specific smart phones. The difference is user must logon to the Self Service Console to get their QR Code. When you distribute a soft token with QR Code, it looks like this.

You do not see a QR code or CTKIP URL, until user logs into Self Service Console, typically with a Password, and clicks the activate link.

EpcoDijk · ‎2017-09-21

thanks, that worked. I just had to enter new software token policies with the correct version.

the ones I had where android 1.0 and iphone 1.3. they don't support qr code.

Now with Android 2.x and iOS 2.x it works.

Do you know if there is a new profile for Windows phones too? I now use Windows Phone 1.x, but that doesn't support QR.

JustinJuan · ‎2017-09-21

Thank you for this write up! Very helpful. It was great to see this listed on recent discussions, as I was about to go look for documentation.

bharatsharma · ‎2020-08-31

Hey Jay,

how can we download the file based token by ssc console.

JayGuillette · ‎2020-08-31

When you distribute a token, either by SN or by User, you use a profile that distributes tokens to a file, which will have a download link in the Security Console.

SecurID® Discussions

Step-by-step manual to setup token provisioning with QR code

SecurID^® Discussions