AnsweredAssumed Answered

How does extending SecurID Token Lifetime work?

Question asked by Michiel Simon on Jan 12, 2017
Latest reply on Jan 18, 2017 by Michiel Simon

Like • Show 0 Likes0
Comment • 12

Hi,

I recently noticed our service desk started using the new RSA AM v8.2 "Extend SecurID Token Lifetime" feature. Unfortunately, it seems users are unable to logon with these extended tokens (one expired 31/12/2016 and was extended, but user can't logon).

I've checked the manual on this feature but I still don't understand what this about or when/how to use it. I can't test atm because I have no tokens expiring soon (and for other tokens it says "The token cannot be extended. It has more than 15 day(s) remaining before token expiration.")

The manual says:

[...]
For example, a token that will expire in 15 days can be extended so that it will not expire for another 30 years. An unassigned token that expires in 30 years provides a new expiration date to the distributed token that was expiring in 15 days, and the unassigned token is deleted. The original, distributed token on the user device receives an extended lifetime in Authentication Manager.

Does this mean the extended token just "claims" one of the free non-extended tokens and uses its 'presence' to continue authentication? Thanks for helping out!! Regards,

Michiel

Brian Twomey

Jan 12, 2017 10:56 AM

Correct Answer

Maybe this will help explain things:

See the reply in context

No one else had this question

Outcomes

Jay Guillette

Jan 12, 2017 10:08 AM

This is a new feature, and only works on Soft Tokens that were distributed under AM 8.2 or later. So if you distributed these software tokens back in AM 8.1 SP1 P15 or less, then upgraded to AM 8.2, you would have to distribute that software token again in order to extend it.

Basically both the AM server and the token need to know how to extend the lifetime, and that 'knowledge' was not included in software tokens distributed pre-8.2

Actions

Michiel Simon Jan 12, 2017 10:20 AM

Hi Jay,

Thanks for the info - that bit is all clear, however, I don't understand how the extension works technically. I mean, if I could just extend expiring tokens with another 30 years, we would never have to buy another token again. The way the manual describes it, we would never have to replace another token as they can simply be extended.

In the portal, I still see the token as "expired on 31/12/2016" but on the user's device, the expiry is now showing as 2035. Will the AM portal still authenticate this token? If not, then what did the "Extend Expiry" do? Hope you see my point!!

Thanks;

Michiel

1 person found this helpful

Actions

Brian Twomey

@ Michiel Simon on Jan 12, 2017 10:56 AM

Maybe this will help explain things:

3 people found this helpful

Actions

Jay Guillette

@ Brian Twomey on Jan 12, 2017 12:04 PM

I knew there was a reason I sit across from Brian!

Actions

Edward Davis

Jan 12, 2017 1:59 PM

To your question:

Does this mean the extended token just "claims" one of the free non-extended tokens and uses its 'presence' to continue authentication?

Yes on the RSA server, the expiring token 'claims' the expire date of the new token.

The end user experience is they install the token once, and never deal with installing

it ever again, and it never expires on their device.

All the user notices if you do not extend the token past is expire date, is logins start to fail, whereas before

version 8.2, the end user would have the software token app tell them the token is expired.

1 person found this helpful

Actions

Michiel Simon Jan 12, 2017 3:49 PM

Thanks for your comments all - very useful information! Also about the tip regarding authentication "suddenly" failing will definitely come in handy as neither users nor helpdesk will understand why the token kept on going regardless of its (server-side) expiry date.

Cheers!

Actions

Michiel Simon Jan 13, 2017 8:47 AM

Just one last question - is it correct that the token that is used as "Extension token" (so the one with a future expiry date, which is 'borrowed' by the already-expired token) cannot be found anymore in either the "Assigned tokens" or the "Unassigned tokens" overview?

It shows up when I dig up the old/expired token and then check the "Extension token" field, but when doing a search, it's almost as if the token has disappeared - is this by design?! Tx!

Actions

Brian Twomey

@ Michiel Simon on Jan 13, 2017 8:55 AM

Yes, that is correct. The token that was used to extend the life of the existing token is removed from the system.

1 person found this helpful

Actions

Michiel Simon @ Brian Twomey on Jan 13, 2017 9:01 AM

Thanks - I indeed see the extension token does not even return when unassigning the initial token from the user. It's almost as if the 2 tokens were merged, leaving just a record of the old token (and the extended token actually inherits the deleted token's expiry date).

Cheers for the help!!

Actions

Michiel Simon Jan 18, 2017 9:43 AM

Just to be 100% sure, is it correct that with this new model users are no longer able to see when "officially" their tokens expire? Just to make sure I'm providing the correct info to helpdesks on users reporting their token "suddenly" not working anymore. We've kind of trained them to always check the token properties on the device, but I guess with this new model, that will always show 2035 (with the real expiry date only visible in RSA web console)?

Actions

Edward Davis

@ Michiel Simon on Jan 18, 2017 10:11 AM

Right.

user sees 2035, they do not know the actual expire date unless you inform them.

Only an RSA admin can know the actual expire date.

1 person found this helpful

Actions

Michiel Simon @ Edward Davis on Jan 18, 2017 10:14 AM

Many thanks - confirms exactly what we've been seeing!

Actions

12 Replies

Jay Guillette Jan 12, 2017 10:08 AM
Mark Correct
Correct Answer
This is a new feature, and only works on Soft Tokens that were distributed under AM 8.2 or later. So if you distributed these software tokens back in AM 8.1 SP1 P15 or less, then upgraded to AM 8.2, you would have to distribute that software token again in order to extend it.
Basically both the AM server and the token need to know how to extend the lifetime, and that 'knowledge' was not included in software tokens distributed pre-8.2
Like • Show 0 Likes0
Actions
Michiel Simon Jan 12, 2017 10:20 AM
Mark Correct
Correct Answer
Hi Jay,

Thanks for the info - that bit is all clear, however, I don't understand how the extension works technically. I mean, if I could just extend expiring tokens with another 30 years, we would never have to buy another token again. The way the manual describes it, we would never have to replace another token as they can simply be extended.

In the portal, I still see the token as "expired on 31/12/2016" but on the user's device, the expiry is now showing as 2035. Will the AM portal still authenticate this token? If not, then what did the "Extend Expiry" do? Hope you see my point!!

Thanks;
Michiel
1 person found this helpful
Like • Show 0 Likes0
Actions
- Brian Twomey @ Michiel Simon on Jan 12, 2017 10:56 AM
  Unmark Correct
  Correct Answer
  Maybe this will help explain things:
  
  3 people found this helpful
  Like • Show 3 Likes3
  Actions
  - Jay Guillette @ Brian Twomey on Jan 12, 2017 12:04 PM
    Mark Correct
    Correct Answer
    I knew there was a reason I sit across from Brian!
    Like • Show 0 Likes0
    Actions
Edward Davis Jan 12, 2017 1:59 PM
Mark Correct
Correct Answer
To your question:

Does this mean the extended token just "claims" one of the free non-extended tokens and uses its 'presence' to continue authentication?

Yes on the RSA server, the expiring token 'claims' the expire date of the new token.

The end user experience is they install the token once, and never deal with installing
it ever again, and it never expires on their device.

All the user notices if you do not extend the token past is expire date, is logins start to fail, whereas before
version 8.2, the end user would have the software token app tell them the token is expired.
1 person found this helpful
Like • Show 1 Like1
Actions
Michiel Simon Jan 12, 2017 3:49 PM
Mark Correct
Correct Answer
Thanks for your comments all - very useful information! Also about the tip regarding authentication "suddenly" failing will definitely come in handy as neither users nor helpdesk will understand why the token kept on going regardless of its (server-side) expiry date.

Cheers!
Like • Show 0 Likes0
Actions
Michiel Simon Jan 13, 2017 8:47 AM
Mark Correct
Correct Answer
Just one last question - is it correct that the token that is used as "Extension token" (so the one with a future expiry date, which is 'borrowed' by the already-expired token) cannot be found anymore in either the "Assigned tokens" or the "Unassigned tokens" overview?

It shows up when I dig up the old/expired token and then check the "Extension token" field, but when doing a search, it's almost as if the token has disappeared - is this by design?! Tx!
Like • Show 0 Likes0
Actions
- Brian Twomey @ Michiel Simon on Jan 13, 2017 8:55 AM
  Mark Correct
  Correct Answer
  Yes, that is correct. The token that was used to extend the life of the existing token is removed from the system.
  1 person found this helpful
  Like • Show 0 Likes0
  Actions
  - Michiel Simon @ Brian Twomey on Jan 13, 2017 9:01 AM
    Mark Correct
    Correct Answer
    Thanks - I indeed see the extension token does not even return when unassigning the initial token from the user. It's almost as if the 2 tokens were merged, leaving just a record of the old token (and the extended token actually inherits the deleted token's expiry date).
    
    Cheers for the help!!
    Like • Show 0 Likes0
    Actions
Michiel Simon Jan 18, 2017 9:43 AM
Mark Correct
Correct Answer
Just to be 100% sure, is it correct that with this new model users are no longer able to see when "officially" their tokens expire? Just to make sure I'm providing the correct info to helpdesks on users reporting their token "suddenly" not working anymore. We've kind of trained them to always check the token properties on the device, but I guess with this new model, that will always show 2035 (with the real expiry date only visible in RSA web console)?
Like • Show 0 Likes0
Actions
- Edward Davis @ Michiel Simon on Jan 18, 2017 10:11 AM
  Mark Correct
  Correct Answer
  Right.
  
  user sees 2035, they do not know the actual expire date unless you inform them.
  
  Only an RSA admin can know the actual expire date.
  1 person found this helpful
  Like • Show 1 Like1
  Actions
  - Michiel Simon @ Edward Davis on Jan 18, 2017 10:14 AM
    Mark Correct
    Correct Answer
    Many thanks - confirms exactly what we've been seeing!
    Like • Show 0 Likes0
    Actions