Managing SecurID PINs

You can manage the SecurID PINs as follows:

SecurID PINs

A personal identification number (PIN) is a numeric password used to authenticate a user.

To increase security, you can set the token policy to require users to create PINs containing both letters and numbers and to change their PINs at regular intervals. See Token Policy.

Misplaced or stolen PINs puts protected resources at risk. For this reason, you should instruct users to report compromised PINs as soon as possible.

When a user reports a compromised PIN, you can require the user to change his or her PIN after the next successful authentication.

When a user is required to change a PIN, the user must know his or her current PIN. To change a PIN, the user authenticates using the existing PIN and tokencode. After successfully authenticating, the user is prompted to create and confirm a new PIN, and the PIN is associated with the user’s token.

For example, suppose a user reports that she used her computer at a local coffee shop, and now she is worried that someone may have seen her type her PIN. After you receive the report, you use the Security Console to require the user to change her PIN. For instructions, see Require Users to Change Their SecurID PINs.

The token policy may require the user to use a system-generated PIN instead of creating one. After the next authentication, the system provides the user with a new, system-generated PIN. The user then authenticates again using the new, system-generated PIN.

If users forget their PINs, you cannot require them to change their PINS in order to obtain a new one because users need to know their PINs in order to change them. You must clear the PIN before the user can create a new one. For instructions, see Clear an SecurID PIN.

Users can also use Self-Service to reset their PINs.

Note: On-demand authentication (ODA) users also require PINs. For more information, see PINs for On-Demand Authentication.

Clear an RSA SecurID PIN

When a user forgets a SecurID PIN, you can clear the PIN so that the user can create a new one. When you clear a user’s PIN, the user can create a new PIN the next time the user authenticates.

For example, suppose a user has forgotten a PIN and calls for help. You verify the user’s identity and clear the PIN. You tell the user to enter just the tokencode when prompted for the passcode the next time user authenticates. After entering the tokencode, the user is prompted to create a new PIN for the user’s token.

You can clear PINs on any primary or replica instance.

Procedure

  1. In the Security Console, click Identity > Users > Manage Existing.

  2. Use the search fields to find the user for whom you want to clear a PIN.

  3. Click the user.

  4. From the context menu, select SecurID Tokens.

  5. Click the serial number for the user’s assigned token.

  6. From the context menu, select ClearSecurID PIN.

  7. Tell the user to enter only a tokencode at the next authentication. After the user enters the tokencode, the user is prompted to create a new PIN.

To clear an SecurID PIN in the User Dashboard:

Procedure

  1. In the Security Console, go to the Home page.

  2. Use Quick Search to find the user.

  3. Select the user whose PIN needs to be cleared.

  4. Under Assigned SecurID Tokens, click the token with the PIN that needs to be cleared.

  5. Click Clear PIN.

  1. When prompted, click Clear PIN(s).

Require Users to Change Their RSA SecurID PINs

When you require a user to change a SecurID PIN, the user is prompted to create a new PIN after successfully authenticating with the token.

You can require a PIN change only when a user knows the existing PIN. For example, you might require a user to change a SecurID PIN if the current PIN has been compromised. If a user has forgotten the PIN, clear the PIN.

Procedure

  1. In the Security Console, click Authentication > SecurID Tokens > Manage Existing.

  2. Click the Assigned tab.

  3. Use the search fields to find the token that you want to edit.

  4. From the search results, click the token with the PIN that you want the user to change.

  5. Select Require SecurID PIN Change.

Allow All Users to Authenticate Without an SecurID PIN

You can configure RSA Authentication Manager so that all users can authenticate without entering an SecurID PIN. Instead of entering the PIN followed by the tokencode, users enter just the tokencode displayed on the token. You can configure both hardware and software tokens so they do not require a PIN for authentication.

Authenticating with just a tokencode is ideal for situations such as software tokens that users must unlock with a password. In these situations, the PIN or password that unlocks the resource is one of the authentication factors, and the tokencode serves as the second.

Procedure

  1. In the Security Console, click Setup > System Settings.

  2. Under Authentication Settings, click Tokens.

  3. Use the User Authentication Requirement buttons to specify if you want to require users to authenticate with a tokencode only or with a passcode (PIN + tokencode).

  4. Click Save.

Allow a User to Authenticate Without an SecurID PIN

RSA Authentication Manager supports authentication with tokens that do not require an SecurID PIN. To authenticate, instead of entering the PIN followed by the tokencode, the user enters just the tokencode displayed on the token.

Authenticating with just a tokencode is ideal for situations such as software tokens that users must unlock with a password. In these situations, the PIN or password that unlocks the resource is one of the authentication factors, and the tokencode serves as the second.

You can configure both hardware and software tokens so they do not require a PIN for authentication. You must notify users if you make any change in the user authentication requirement options.

You can perform this procedure for one user or more users.

Procedure

  1. In the Security Console, click Authentication > SecurID Tokens > Manage Existing.

  2. Use the search fields to find the tokens that you want to configure.

  3. Select the checkbox next to the tokens that you want to configure.

  4. From the Action menu, click Don't Require SecurID PIN.

  5. Click Go.