You can provide online emergency access for a user whose RSA SecurID Token or RSA SecurID Authenticate app is temporarily unavailable by assigning a set of one-time tokencodes. Each one-time tokencode can be used once in place of the user's missing token. The set of tokencodes allows a user to authenticate multiple times without contacting an administrator each time.
RSA SecurID users must enter the one-time tokencode with the RSA SecurID PIN to perform two-factor authentication. Authenticate app users enter the one-time tokencode without a PIN. (A PIN might be required to view the tokencode on the mobile device, but this is not the RSA SecurID PIN.)
The user must be able to access the RSA Authentication Manager network when using a one-time tokencode.
Note:One-time tokencodes can only be used to access resources protected by Authentication Manager. They cannot be used to access resources protected by the Cloud Authentication Service.
Before you begin
Users must have already been an assigned a valid (not expired) RSA SecurID token before you send them sets of one-time tokencodes. This requirement also applies to users who will use a one-time tokencode in place of the Authenticate app.
In the Security Console, click Authentication > SecurID Tokens > Manage Existing.
Use the search fields to find the appropriate token.
From the search results, click the token with which you want to work.
From the context menu, click Emergency Access Tokencodes.
On the Manage Emergency Access Tokencodes page, select the Online Emergency Access checkbox to enable authentication with an online emergency access tokencode.
Select Set of One-Time Tokencodes.
Enter the number of tokencodes that you want to generate.
Click Generate Codes. The set of tokencodes displays below the Generate Codes button.
Record the set of one-time tokencodes so you can communicate them to the user.
Select one of the following options for the Emergency Access Tokencode Lifetime:
Set an expiration date for the tokencode.
In the If Token Becomes Available field, configure how Authentication Manager handles lost or unavailable tokens that become available.
Deny authentication with the recovered token.
If a token is permanently lost or stolen, deny authentication with the recovered token so that it cannot be used for authentication if recovered by an unauthorized individual. This is essential if the lost token does not require a PIN.
Allow authentication with the recovered token while simultaneously disabling the emergency access tokencode.
Allow authentication with the recovered token only after the emergency access tokencode has expired.