This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Authentication method failed, passcode format error for all software tokens in RSA Authentication Manager 8.x

Article Number

000033268

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Issue

  • In Authentication Manager 8.x and later, the following error is displayed for all software tokens, but hardware tokens and fixed passcodes work:
Authentication method failed, passcode format error
  • The passcode format error occurs with native SecurID agents, as well as RADIUS clients and their associated agents.
  • RSA SecuriD software tokens on user devices will fail to resynchronize in the Security Console.
Image descriptionImage description
 

Cause

An RSA administrator with the right to distribute software tokens can (re)distribute all assigned software tokens; thereby invalidating all currently assigned and working software tokens by regenerating their token with a different seed value.  This effectively makes all of the redistributed software tokens into new software tokens with the same serial number, which invalidates every software token until the new token is imported.
 

In the screen shot below note that the following warning is issued:

Token selection criteria not specified.  All assigned tokens will be selected for issuance and that current software token users cannot authenticate until they update their tokens.  

If you click OK, another warning displays:You will issue <number of software tokens> software tokens according to your selection criteria.  This job generates new token seeds for these tokens.  Existing users of these tokens will no longer be able to authenticate.  Users must import the new token data before they can authenticate.

 
Image descriptionImage description
 

Once the new token seed is issued, the Authentication Manager server will expect authentication requests to use the newly issued tokencode or passcode.  Since the old token is still installed on the end user's mobile device or desktop, when a tokencode or passcode is submitted from the device, authentication will fail.


Currently there is no simple or easy way to prevent this from happening.  There is currently an RFE in place (AM-30216) to change the bulk distribution of software tokens within Authentication Manager.

Resolution

There is no rollback option in Authentication Manager if software tokens are redistributed

. The two options to resolve this issue if it happens in your deployment are as follows:
  • Either provide the new token seeds to the end users so they can import the new token to their device.
  • Alternatively, revert to a backup of your Authentication Manager system, or restore from Backup in the Operations Console. Restoring from a backup means losing some data that has changed since the backup was taken. Make absolutely sure you restore the correct backup, as the Operations Console will take whatever backup you point to and overwrite current system. May want to backup now of current system before restoring from backup as a safety measure.

Workaround

Recommendations

  • Before choosing the option to distribute software tokens in bulk, login to the Operations Console and select Maintenance > Backup and Restore > Backup Now to take a backup of the Authentication Manager database.  
  • As part of best practices for Authentication Manager, configure scheduled backups in the Operations Console (Maintenance > Backup and Restore > Schedule Backups) to backup the database on a regular schedule so that if this issue happens, it can be mitigated quickly.

Notes

In Authentication Manager 6.1 and earlier, the token distribution process was called issuing software tokens.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 08:40 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.