One thing to note with your newly assigned hardware tokens is that when you give them to your end users they are in a state called New PIN Mode. This means that a PIN has not yet been created by the end user to use when authenticating.
When you assigned the hardware token, you defined if your users would authenticate using just the numbers shown on the token, known as the tokencode or if users would need to authenticate with a passcode, which is a user-created PIN and the tokencode, which is known as a passcode. At RSA we refer to this as something you know (your PIN) and something you have (your token). Let's look at how Bob and Alice would each authenticate, one with a tokencode, the other with a passcode.
How Bob authenticates with a tokencode
Bob's token allows him to authenticate to his network device by entering his user ID and the six digits he sees on his token. In this example, the tokencode that is showing is 03220728.
- Bob enters that number into the device interface and clicks OK.
- The device sends his information to the Authentication Manager server. The server sends back a request for a PIN.
- Since Bob's token is set to be tokencode only, he must wait for the tokencode to change and for the next tokencode of 81108024 to display.
- He then enters that second numeric string into the device. Et voila! Bob has a successful authentication.
How Alice authenticates with a passcode
Alice's token is PIN enabled. For her, the process of getting out of New PIN Mode has a few extra steps. As with Bob, you assigned a token to Alice and delivered it to her securely. Now she needs to create a PIN.
- If you have enabled the Self-Service Console,
- Send Alice the link to login to it.
- She clicks the link to Create PIN.
- She creates a PIN (something easy for her to remember but hard for others to guess) and confirms it, then clicks Save. She is no longer in New PIN Mode.
- Now when Alice goes to authenticate to her VPN or web page she uses her passcode (PIN + tokencode).
- If you have not enabled the Self-Service Console,
- Alice opens the device through which she authenticates (like a web page or VPN client).
- She enters her user ID in the correct field.
- She then enters the six digits she sees on the token ( e. g., 03220728) and clicks OK.
- As above, the information is sent to the server and a request for a PIN is sent back.
- This is where Alice creates her PIN and enters it into the interface. Let's say her PIN is 5130. She enters just that string and clicks OK.
- The next prompt Alice sees is to submit her passcode (PIN + tokencode). She needs to make sure the tokencode has rolled from the first one she submitted above to the next code (81108024).
- Now she enters the PIN followed by the tokencode, or 513081108024.
- She clicks OK and is successfully authenticated to her network device.
For both tokencode only and passcode tokens, waiting for the tokencode to change is very important. Entering the same tokencode more than once will result in a PASSCODE REUSE error that will be seen in the authentication logs.
Please let us know if you have additional questions on this.
Regards,
Erica
