AnsweredAssumed Answered

SecurID Tokens: Can they resync on their own?

Question asked by Keith Giles on Apr 16, 2018
Latest reply on Apr 16, 2018 by Keith Giles

Like • Show 0 Likes0
Comment • 8

We recently had two users prompted to enter the "next tokencode" after they'd already logged in successfully. According to RSA support, this is typically because their tokens are out of sync.

However, they were able to log in again after we cleared their incorrect login attempts. We did not do anything to resynchronize their tokens.

With that said, does this mean the tokens can sometimes get back into sync without intervention?

Or was my problem perhaps something else? The users were highly confident they entered the correct token code each time.

No one else has this question

Outcomes

8 Replies

Jay Guillette Apr 16, 2018 10:55 AM
Mark Correct
Correct Answer
The answer is 'a little bit' or 'kind of'
If you restart AM services on the Primary, either after a reboot or in Linux /opt/rsa/am/server/rsaserv restart all
the first time every token is used to logon after that, the AM server will accept any tokencode within a plus or minus 10 minute window. The AM server can then note any difference in the time on the token from the time on the AM server (which is always assumed to be correct)
Re-synching a token does the same thing, but with a plus or minus 12 hour window
1 person found this helpful
Like • Show 0 Likes0
Actions
Ted Barbour Apr 16, 2018 11:04 AM
Mark Correct
Correct Answer
You can be entered into NTC mode because of incorrect attempts per token policy.
1 person found this helpful
Like • Show 0 Likes0
Actions
Jay Guillette Apr 16, 2018 11:07 AM
Mark Correct
Correct Answer
To your original question, Next token Code, NTC can happen for two reasons, one of which is kind of what Support indicated to you, that this token is a little bit out of synch, the tokencode entered was within 2-3 minutes of the expected tokencode AFTER an initial authentication after restarting AM services. In other words, first time token used to authenticate after services have been started is the plus or minus 10 minute window, which allows AM to get its bearing on this individual token, to learn this token's exact time offset difference, and every time authenticating after that initial auth the Window is tighter, plus or minus 1 minute. Close as in plus or minus 2-3 minutes triggers NTC. Any tokencode more than 3 minutes off from expected offset time is considered incorrect and look even looked up.

The 2nd way to trigger NTC is to fail authentication some minimum amount of times, which is set in the Token Policy, and defaults to 3 failures in a row without a success - over any amount of time that the AM services have been running. You might consider a Token Policy change to 5 if this is a problem for your users, arguing that 5 is still tight enough to thwart hackers trying to steal OTPs (which in itself is an Everest-type task for the hacker).

You also can clear all NTPs from all Tokens with the /opt/rsa/am/utils/rsautil sync-tokens utility in Linux
1 person found this helpful
Like • Show 0 Likes0
Actions
Keith Giles Apr 16, 2018 11:30 AM
Mark Correct
Correct Answer
Thanks for the replies. If I understand, then restarting the AM service will essentially resync the tokens? It's been a few months since it was restarted (the latest patch).

I do see that our policy requires next tokencode after 3 incorrect passcodes. Does this mean three consecutive incorrect entries? Or is this just three random incorrect entries?

The users were extremely confident they entered the correct passcode, but perhaps they entered their computer password incorrectly.
Like • Show 0 Likes0
Actions
- Jay Guillette @ Keith Giles on Apr 16, 2018 11:35 AM
  Mark Correct
  Correct Answer
  Yeah, I'd restart services, maybe implement a plan to restart or reboot once per quarter or something, and change Token Policy to 5 and then the problem should really drop off your radar.
  The 3 strike (or 5 strike change) bad TokenCode in the Token Policy is in a row, meaning it goes back to 0 strikes when you successfully authenticate with that Token.
  You could also run an authentication report on the user, and look for 3 failures in a row. If you cannot find that, then it is most likely due to time being slightly off.
  1 person found this helpful
  Like • Show 0 Likes0
  Actions
  - Keith Giles @ Jay Guillette on Apr 16, 2018 11:40 AM
    Mark Correct
    Correct Answer
    Thanks so much Jay, I will check that!
    
    To confirm, when it says incorrect passcodes, it is referring to the AD password + the tokencode, so it could be an incorrect password too?
    Like • Show 0 Likes0
    Actions
Erica Chalfin Apr 16, 2018 11:35 AM
Mark Correct
Correct Answer
Keith Giles,

000029685 - Navigating Next Tokencode Mode in RSA Authentication Manager 8.1 and above gives a good explanation of the Next Tokencode process and the window of valid tokencodes when authenticating.

Regards,
Erica
1 person found this helpful
Like • Show 0 Likes0
Actions
- Keith Giles @ Erica Chalfin on Apr 16, 2018 11:37 AM
  Mark Correct
  Correct Answer
  Erica Chalfin, thanks! I will definitely read over that.
  Like • Show 0 Likes0
  Actions

SecurID Tokens: Can they resync on their own?

Outcomes

Related Content

Recommended Content