SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

Steps to be followed for using Hardware Tokens

I have installed and configured RSA 8.3 . Logged in to Security Console . 

I have imported the Users xml , created users , assigned tokens to users using my Security Console . 



Is there any other step that I need to follow  for hardware tokens to be used. Please share any additional steps that may be required.


( please note I am not able to find "Distribute" , in the context menu of the token .)

I was following steps as mentioned in the RSA AM 8.3 Administrator's Guide : "Importing, Assigning, and Distributing RSA SecurID Tokens , Step 4 : Distribute the token. Choose one of the following: "

Labels (1)
10 Replies

Just give the token to the user and when they first log in somewhere they should get prompted to set up a pin for the token. Any time a user is prompted for 'tokencode' that means just the digits on the token, 'passcode' means the new pin followed by digits on the token. Distribute is for software tokens, where there are multiple ways to get a software token to a user. Hardware tokens there is only one way, which is physically deliver it to the user.

Employee (Retired) Employee (Retired)
Employee (Retired)

Charu Parmar‌,


One thing to note with your newly assigned hardware tokens is that when you give them to your end users they are in  a state called New PIN Mode.  This means that a PIN has not yet been created by the end user to use when authenticating. 


When you assigned the hardware token, you defined if your users would authenticate using just the numbers shown on the token, known as the tokencode or if users would need to authenticate with a passcode, which is a user-created PIN and the tokencode, which is known as a passcode.  At RSA we refer to this as something you know (your PIN) and something you have (your token).  Let's look at how Bob and Alice would each authenticate, one with a tokencode, the other with a passcode.


bob alice.png

How Bob authenticates with a tokencode

Bob's token allows him to authenticate to his network device by entering his user ID and the six digits he sees on his token.  In this example, the tokencode that is showing is 03220728. 

  1. Bob enters that number into the device interface and clicks OK
  2. The device sends his information to the Authentication Manager server.  The server sends back a request for a PIN.
  3. Since Bob's token is set to be tokencode only, he must wait for the tokencode to change and for the next tokencode of 81108024 to display. 
  4. He then enters that second numeric string into the device.  Et voila!  Bob has a successful authentication.


How Alice authenticates with a passcode

Alice's token is PIN enabled.  For her, the process of getting out of New PIN Mode has a few extra steps.  As with Bob, you assigned a token to Alice and delivered it to her securely.  Now she needs to create a PIN. 

  • If you have enabled the Self-Service Console,
    1. Send Alice the link to login to it. 
    2. She clicks the link to Create PIN.
    3. She creates a PIN (something easy for her to remember but hard for others to guess) and confirms it, then clicks Save.  She is no longer in New PIN Mode.
    4. Now when Alice goes to authenticate to her VPN or web page she uses her passcode (PIN + tokencode).
  • If you have not enabled the Self-Service Console,
    1. Alice opens the device through which she authenticates (like a web page or VPN client). 
    2. She enters her user ID in the correct field.
    3. She then enters the six digits she sees on the token ( e.  g., 03220728) and clicks OK.
    4. As above, the information is sent to the server and a request for a PIN is sent back. 
    5. This is where Alice creates her PIN and enters it into the interface.  Let's say her PIN is 5130.  She enters just that string and clicks OK.
    6. The next prompt Alice sees is to submit her passcode (PIN + tokencode).  She needs to make sure the tokencode has rolled from the first one she submitted above to the next code (81108024). 
    7. Now she enters the PIN followed by the tokencode, or 513081108024. 
    8. She clicks OK and is successfully authenticated to her network device.

For both tokencode only and passcode tokens, waiting for the tokencode to change is very important.  Entering the same tokencode more than once will result in a PASSCODE REUSE error that will be seen in the authentication logs.

Please let us know if you have additional questions on this.




Thanks ,


Please could you let me how to enable Self Service console.


Am asking this since I seem to have followed the correct steps mentioned in this thread. 

But am getting :-

"Principal authentication

User “XXX” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”
Authentication method failed"


So want to try it out on Self Service Console . 


please share how to enable Self Service console.


Hello Charu, the self-service console should be accessible from the AM server internal network through the below URLs:

https://fully qualified domain name:/ssc
https://fully qualified domain name:7004/console-selfservice/

However, if you need to access the self-service console from the external network you need a Web-tier deployment, moreover you can find all the details you need in page 59 in the below guide:

RSA Authentication Manager 8.2 Setup and Configuration Guide 

The URL https://fully qualified domain name:/ssc worked for me. 



Charu Parmar‌,


Authentication method failed can happen for a variety of reasons. 


login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Tue Jul 17 17:25:06 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am83p:~> cd /opt/rsa/am/server
rsaadmin@am83p:/opt/rsa/am/server> ./rsaserv restart all


You will see all of the services stop then come back up.  Once you are back at the prompt, try authenticating again.





I have again installed RSA , this time the time is matching with the machine hosting this VM and also with the linux machine on which OAM resides. 

So , now RSA VM , windows box that hosts this VM and linux box that has the OAM server , all three are in the smae time zone. 


And tested the hardware token using self service console .( set the PIN as well  )


Now when I am accessing my protected application ,

- I enter the same username ( tested to be working fine. ) 

- and the RSA passcode as "the token code " that appears on the hardware token. 



"Principal authentication

User “XXX” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain” 
Authentication method failed"

I am seeing same error on authentication monitor. Any further suggestions please . What settings can I check . 


Tried creating  sdopts.rec with the agent's IP , placed in the same dir as sdconf.rec


Still same error on the authentication Monitor . 


Just to add that , on the authentication monitor , the Agent and the Client IPv4 match and are correct . ( means the hostname and IP match with what is entered in the Authentication Agents ) 


please suggest .