Article Number
000029890
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
Issue
This article provides information on how to resynchronize a SecurID hardware or software token from the Authentication Manager 8.1 Self-Service Console.
Resolution
Notes
Token synchronization checks the current UTC server time then reviews all possible tokencodes, plus or minus 12 hours from the current server time to find two sequential tokencodes that match what was entered.
With this process, the Authentication Manager server determines how fast or slow the clock in the token is as compared to the server clock, which is assumed to be connected to NTP and accurate. If the server determines that the tokencodes provided during the synchronization process are correct but either for a time in the past or the future, the token offset table is updated with the offset value. The next time the token is used for authentication the offset value is used to find the correct tokencode value for that minute to determine if authentication is successful.
A token synchronization will fail for one or more of the following reasons:
- The server time is fast or slow by more than 12 hours compared to the token time. Be sure to also confirm that the server date and timezone are correct.
- The token time is fast or slow by more than 12 hours compared to the server time. Mobile devices with RSA SecurID software tokens installed typically get very accurate time information from the service provider, while RSA SecurID Software Tokens installed on desktops and laptops get their time from the BIOS, which may be incorrect or drifting.
- The token that was synchronized is not the one assigned to the user.
- An Authentication Manager administrator distributed a software token serial number again to this user or another user without the original token being replaced on the device. When a software token is redistributed, a new hash is used that invalidates the first distribution of the token.