SecurID® Product Advisories
Update: September 19, 2023 at 3:00 PM ET
We have identified two issues in the iOS version of RSA Authenticator 4.3 app. These are infrequent issues impacting users in narrow use cases and only on iOS. These issues have been fixed for many end users in version 4.3.2. RSA will also release a 4.3.3 update with additional fixes within the next few days.
The RSA Authenticator app is currently in the app store but paused so no auto updates occur. The rollout was paused at 1%, however users can still manually download the newest version.
For customers whose end users have already updated to 4.3.x and are experiencing issues, RSA advises the following steps:
- Upgrade to RSA Authenticator 4.3.2.
- If problems persist, try restarting the app following the instructions provided here.
- Be aware that end users who have restored their phones from a backup will need to be issued new tokens. This is intentional behavior for security reasons.
More details are provided below.
Scenario 1: iOS only on 4.3.0 or 4.3.1: Error presents itself with the following error message.
For most users this issue is resolved in the latest RSA Authenticator 4.3.1 app. The fix is also available in RSA Authenticator 4.3.2 and subsequent releases.
Scenario 1: Follow-up for users who installed RSA Authenticator 4.3.2: The following error may display.
We believe many users who experience this error in 4.3.2 have also restored from backup in an attempt to resolve the original error. There may also be a small number of end users who experience this issue under other circumstances due to the library loading race condition. Users who experience this error should quit and reopen the RSA Authenticator app, which will work around the issue for the majority of impacted users.
For users who performed a restore or who continue to experience this problem after restarting their app, please see Scenario 2 below for the current update.
Scenario 2: iOS only. The error presents with the following messages. The scenario involves users who have either:
- Gotten a new phone and restored from backup.
- Factory reset their existing phone and restored from backup.
The error presents when the user attempts to import an token.
4.3.0/4.3.1: End users who restored from backup will see the first message when launching the app, and the second message if they attempt to import a new token.
4.3.2: End users who have restored from backup will see the following message. This is an intentional security safeguard and is not a defect. End users who have restored from backup must obtain a new token. The majority of end users who take this step will be able to proceed with no further issues.
A very small number of end users who attempted to import a new token after seeing this message reported seeing the following error and were unable to proceed.
Root Cause: On a restore from backup, Apple resets encryption keys. In this scenario, for security reasons we require the user to get a new token. The old, and now invalid token was not being properly removed.
Current Update: We have provided a fix to automatically handle token removal in 4.3.2, and this fix has addressed the problem for most end users. Most end users were able to successfully import new tokens as expected after restoring from backup.
In 4.3.3 we will continue to automatically handle token removal for most end users who are newly upgrading and, in addition, we will provide a manual recovery option. This will allow any end users who continue to experience an error to remove invalid tokens so they may import a new token. This step should only be taken after other mitigations have been unsuccessful (since it requires issuance of a new token).
We expect to complete work on 4.3.3 today (2023-09-19). The app will then need to go through Apple's approval process, which may take up to 24-48 hours.
