Manage Users for the Cloud Authentication Service Manage Users for the Cloud Authentication Service

Use the Cloud Administration Console to perform the following user management tasks.

Help Desk Administrator Tasks	General User Management Tasks
Assign a Hardware Authenticator to a User	Clear a Hardware OTP Credential PIN for a User
Delete a User's Authenticator	Configure or Disable Automatic User Deletion - Bulk Maintenance
Disable Emergency Access Code for a User	Delete a Single User Immediately from the Cloud Authentication Service
Enable or Disable a User	Delete a User's Hardware Authenticator
Generate a Registration Code	Disable or Enable a Hardware Authenticator
Manage User Phone Numbers	Mark a User for Automatic Bulk Deletion from the Cloud Authentication Service
Provide an Emergency Access Code to a User	Run Reports
Synchronize One User	Undelete a User Who is Pending Deletion
Unassign a Hardware Authenticator from a User	Undelete Users Who Are Pending Deletion - Bulk Maintenance
Unlock a User's Password	Disable or Enable a FIDO Credential
Unlock All OTPs for a User	Add a User in the Unified Directory
View User Information	Edit User Details in the Unified Directory
Reset a User's Password	Import Users to a Local Identity Source

View User InformationView User Information

You can use the Cloud Administration Console to view the following information for a user.

User Information	Description
First Name, Last Name, Username, Alternate Username, Email Address	Information that identifies the user. Alternate Username is optional. For example, this attribute can be used for the Active Directory userPrincipalName.
Account Created On	Date when the user account was added to the Cloud Authentication Service.
User Status	Enabled. Users can access protected resources. Disabled. Users cannot access protected resources or register authenticators. Pending Deletion. The user and all associated data and authenticators will be automatically deleted from the Cloud Authentication Service seven days after being marked for deletion in the Cloud Administration Console. See Identity Sources for the Cloud Authentication Service for information on how synchronization affects the user status.
High-Risk User	If you have the Cloud Premier license, this attribute is displayed. Yes indicates the user is marked as high risk by an external third-party application. No is displayed if the user is not marked as high risk by an external third-party application. If you configured conditional access policies using the High-Risk User List attribute, this status can affect authentication requirements for the user.
Identity Source	User's identity source for the Cloud Authentication Service.
SMS Phone Voice Phone	Displays user phone numbers after you click Show synchronized phone numbers. Phone numbers appear only if corresponding attributes were configured and synchronized. Note: For the users in the Unified Directory, the phone numbers that were provided while creating the users are displayed. You can edit the phone numbers.
Updated	Date and time when the user was last modified by the administrator, the user, the Cloud Authentication Service, or external systems.
Refreshed	Date and time when the user's information was last synchronized with an identity source using any of the following methods: You clicked Synchronize on the User Management page to synchronize a single user. The user was updated through just-in-time or manual synchronization. You searched and found an unsynchronized user and the user was automatically added to the Cloud Authentication Service. The user was updated from an external user source.
Registered Authenticators and Browsers	Includes devices where the SecurID app/SecurID Authenticator app is installed, the user's registered FIDO authenticators, and known browsers. A browser becomes known when a user completes authentication and clicks Remember This Browser. RSA remembers the browser and identifies it with the Known Browser attribute in an access policy. If the user does not click Remember This Browser, the browser is not known. A known browser is deleted from the user's account after it has not been used for 90 days. Users who do not use a known browser within 90 days might have to reauthenticate.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's ID (email address).

• If the user's ID appears in the list, this means that the user already exists in the Cloud Authentication Service.

• If not, click Include and add users not synchronized to the Cloud Authentication Service to add the user. Make sure that you enter an exact match if you do not see the user in the list (For example, new users or users who are not authenticated). Click the prompt to find and automatically add the user to the Cloud Authentication Service.

Note: In certain cases, when customer's identity source configuration for user identifiers are mapped to email, sAMAccountName, and msDS-PrincipalName. The Customer can on board new users to cloud using email and sAMAcountName values via admin console or My Page or any SAML or ODIC Relying parties .

But if the customer selects "msDS-PrincipalName", which is a constructed attribute of Microsoft Active Directory, as a parameter to identify username in the user population, then the search does not fetch results because the Active Directory limits the usage of constructed attribute in search queries. Therefore, it is not utilized to on board new users from admin console by admins or by end users via My Page. However, when the user is added (synchronized) to the cloud, the user can access the application using any identifier, such as mail, sAMAccountName, or msDS-PrincipalName.

For descriptions of attributes, refer Active Directory Attributes Synchronized for Authentication.

Add a User in the Unified Directory Add a User in the Unified Directory

You can use the Cloud Administration Console to create a user in the Unified Directory. You can add the users’ details and set their initial passwords. Users can then log on to My Page and change their assigned password.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. On the User Management page, click Add a User.

3. Enter the following information:

User Information	Description
Identity Source	Select the user's identity source for the Cloud Authentication Service. This field is required.
First Name, Last Name, Username, Alternate Username, Email Address	Enter the information that identifies the user. First Name, Username, and Email address fields are required. Last Name and Alternate Username fields are optional.
Group Membership	Enter the group name(s) in which that user is currently a member of. This field is optional.
SMS Phone Voice Phone	Enter the user phone numbers. These fields are optional.
Password Creation, Password, Confirm Password	In the Password Creation field, the following options can be available based on the enabled options for initial password creation: Admin Entered Generate & Display Generate & Send None For information about how to enable the initial password creation options, see Add a Unified Directory Identity Source. Type and confirm the password that the user will use for authentication. The password must meet the password policy requirements; the password must be between 10 and 64 characters. Users can change their initial or first-time passwords when they log on to My Page. These fields are required.

4. Click Create User.
   

Edit User Details in the Unified DirectoryEdit User Details in the Unified Directory

If a user (created using the SCIM API or the Cloud Administration Console) belongs to local identity sources, you can edit the user's details. You can search for the user (Users > Management) and then click Edit User.

The following fields can be edited:

• First Name

• Last Name

• Username

• Alternate Username

• Email Address

• Group Membership (you can provide more than one group name)

• SMS Phone

• Voice Phone

Import Users to a Local Identity SourceImport Users to a Local Identity Source

You can import users in the form of a CSV file to local identity sources. When importing users, you can download and view a sample CSV file to use as a template.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. On the User Management page, click Import Users.

3. In the Identity Source drop-down menu, select the name of the local identity source you want.

4. In the User CSV File field, click Choose File, navigate to the CSV file, and then click Open.

5. Click Import.

Note: Click the Download CSV Template button if you want to download a sample users import file.

The Cloud Authentication Service validates that the CSV file is formatted correctly and that all the attribute requirements are met.

Reset a User's PasswordReset a User's Password

If a user requires a password reset, you can initiate the password reset. You can generate a one-time code and share it with a user, or send a user an email notification including a reset link, a one-time code, and an expiration time to reset their password.

Before you begin

In the Cloud Administration Console, select Enable under Self Service to enable My Page.

For LDAP and Active Directory (AD) identity sources, enable Use SSL/TLS encryption to connect to the directory servers. Click Add and select the LDAP server root certificate. In the Password Settings section, enable Allow Users to Change Passwords.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list to display the user's details and registered authenticators.

3. In the Password Reset section, to customize the password reset link, see Customize and Configure Domain Name.

4. In the Valid for field, enter the expiration time of the password reset link.

5. Select one of the following reset code options:

   1. Display is selected by default. Click Generate Reset Code. Copy the code and share it with users.

   2. Email and click Generate & Send Reset Code. The user's email address is displayed by default, but you can remove it and add another verified email address for a user.

To configure the password reset email notification, click My Account > Company Settings > Email Notifications, and select Send OTP in Email for Admin Assisted. For more information, see Configure Email Notifications.

To configure the number of failed sign-in attempts allowed for a user, see Configure Session and Authentication Method Attempts.

Provide an Emergency Access Code to a UserProvide an Emergency Access Code to a User

If a user forgets or misplaces a registered authenticator, you can provide the user with temporary access by generating an Emergency Access Code. If the user is online (able to access the company network without the registered authenticator), the next time the user attempts to access the protected resource, the user will be able to select Emergency Access Code from the list of available authentication options. The online Emergency Access Code is valid for the configured number of days (1-7).

If the user is offline, he or she can use Emergency Access Code to sign into a computer that is protected by the RSA MFA Agent for Microsoft Windows, even if the computer has no internet connection. If the computer has an internet connection, the same access code can be used online to access resources protected by the Cloud Authentication Service.

See how to provide an emergency access code to a user:

For details about access code configuration and lifetime, see Emergency Access Code.

Before you begin

Know which applications in your company are configured to allow Emergency Access Code. Your Super Admin can confirm this information.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list to display the user's details and registered authenticators.

3. If the user is able to access the company network, select the number of days the OTP is valid until expiration. If the user is offline, skip this field.

4. Click Generate Code.

   If Emergency Access Code is disabled for offline use (My Account > Company Settings > Sessions & Authentication), an 8-character alphanumeric code is generated that can only be used when the user is online. If Emergency Access Code is enabled for offline use, a 12-character alphanumeric code is generated that can be used both online and offline.

   Users who are not enabled for offline authentication or who have not yet downloaded day files always receive an 8-character alphanumeric code that can only be used when the user is online.

5. Securely deliver the OTP to the user immediately. Tell the user to select Emergency Access Code the next time the user authenticates.

   The OTP disappears from the User Management page after you leave the page and cannot be displayed again. If the user forgets the code, you must regenerate it.

Disable Emergency Access Code for a UserDisable Emergency Access Code for a User

You can disable a user's Emergency Access Code before its online expiration date has elapsed. This date is configured on the Users > Management page. You cannot disable this access code after its online expiration date has elapsed.

Disabling Emergency Access Code for a user has the following impact:

• The user cannot select Emergency Access Code when attempting to access resources protected by the Cloud Authentication Service because this method is not presented as an option.

• You cannot view or re-enable the access code in the Cloud Administration Console. If the user needs emergency access, you must generate a new access code.

If your deployment has enabled Emergency Access Code for offline use and you disable it for a user after you have already given it to that user, the user can still use the disabled access code to sign in to a computer that is offline (with no internet connection) and is protected by the RSA MFA Agent for Microsoft Windows. The disabled access code can be used offline until one of the following events occurs:

• The configured lifetime (1-30 days) has elapsed. The lifetime is configured on the My Account > Company Settings > Session & Authentication page.

• The user has successfully authenticated, through the MFA Agent, using a method other than Emergency Access Code, to the Cloud Authentication Service. The disabled access code becomes invalid when a new access code is downloaded to replace the old one, beginning a new lifetime cycle.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list to display the user's details and registered authenticators.

3. Click Disable Access Code.

Synchronize One UserSynchronize One User

A Super Admin or Help Desk Administrator can synchronize one user from an identity source to view the user's most recent information from the directory server. Go to the User Management page for the user and click Synchronize.

When you search for an unsynchronized user in the Cloud Administration Console, that user is automatically added to the Cloud Authentication Service. For instructions, see View User Information.

For more information on synchronization, see Identity Sources for the Cloud Authentication Service

Note: Synchronization is unavailable for users in the Unified Directory.

Enable or Disable a UserEnable or Disable a User

Enabled users can authenticate to access resources protected by the Cloud Authentication Service. Users are enabled by default when you add them to the Cloud Authentication Service through synchronization. Disabled users remain in the Cloud Authentication Service and their registered authenticators are not deleted, but they cannot access protected resources or register new authenticators.

Tips Tips

• Super Admins can enable or disable any administrator or user. Help Desk Admins can enable or disable non-administrative users and Help Desk Admins, but they cannot enable or disable Super Admins. An administrator cannot enable or disable his own account.

• If you manually disable a user in the Cloud Authentication Service and that user is still enabled in the directory server, the user can continue to sign in to the application portal but cannot complete additional authentication. If you want to prevent the user from signing in to the portal, you must disable the user in the directory server.

Before you begin

Understand how identity source synchronization affects user enablement and disablement. See Identity Sources for the Cloud Authentication Service.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. On the user's detail page, click Disable or Enable.

4. When prompted, confirm the action.

Delete a User's AuthenticatorDelete a User's Authenticator

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. On the user's detail page, find the authenticator you want to delete and click the delete icon.

4. When prompted, click Delete.

After you finish

After you delete the authenticator, the next time the user's SecurID app/SecurID Authenticator communicates with the Cloud Authentication Service, it presents a message to the user that the account has been removed from the device. The user cannot use the app for the deleted account without completing registration again. If the user has registered more than one account, he can use the app for accounts that were not deleted.

Assign a Hardware Authenticator to a UserAssign a Hardware Authenticator to a User

Each user can have up to five active SecurID 700 hardware OTP credentials or up to four SecurID 700 hardware OTP credentials and one SecurID DS100 OTP credential that are managed in the Cloud Administration Console. You can assign hardware OTP credentials to users before distribution. Upon receiving their credentials, users must go to My Page to activate the preregistered credentials and test authentication.

If preferred, you can send unassigned credentials to users and ask users to go to My Page to register their credentials and test authentication.

Note: You must upload decrypted credential files to the Cloud Authentication Service to see the Assign Hardware Authenticator link. See Deploy Hardware OTP Credentials to Users.

Before you begin

Super Admins and Help Desk Administrators can perform this task.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list to display the user's details and registered authenticators.

3. On the user's detail page, click Assign a Hardware Authenticator.

4. Enter the serial number of the authenticator that you want to assign.

5. (Optional) Name the authenticator that you want to assign.

   By default, the hardware authenticator name is the serial number, unless you enter a name or the user enters a name during registration.

6. Click Assign Authenticator.

Unassign a Hardware Authenticator from a UserUnassign a Hardware Authenticator from a User

You can unassign a user's hardware authenticator. Unassigning the hardware authenticator prevents the user from authenticating with the hardware authenticator. You can re-use the authenticator file for a different user after it is unassigned.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. Click the black circle icon next to the hardware authenticator.

4. When prompted, click Unassign.

Disable or Enable a Hardware AuthenticatorDisable or Enable a Hardware Authenticator

You can disable or enable a user's hardware authenticator. Registered authenticators are automatically enabled. You can unassign a disabled authenticator.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. On the user's detail page, the hardware authenticator is listed by name or serial number. Click the Edit icon next to the hardware authenticator.

4. Click Enabled or Disabled.

5. Click Save or Close.

Delete a User's Hardware AuthenticatorDelete a User's Hardware Authenticator

You can delete a user's hardware authenticator from the Cloud Authentication Service. This is useful if the user has lost the hardware authenticator. Deleting a hardware authenticator has the following impact:

• The hardware authenticator in the user's possession can no longer be used for authentication.

• You must re-import the authenticator file before assigning it to another user.

Before you begin

You must be a Super Admin to perform this task.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. Click the black circle icon next to the hardware authenticator.

4. When prompted, click Delete.

Disable or Enable a FIDO CredentialDisable or Enable a FIDO Credential

You can disable or enable a user's FIDO credential. Registered credentials are automatically enabled.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. On the user's detail page, the FIDO credential is listed by name. Click the Edit icon next to the FIDO credential.

4. Click Enabled or Disabled.

Manage User Phone NumbersManage User Phone Numbers

Phone numbers are required for users who authenticate using SMS OTP or Voice OTP. You can manage phone numbers for each user in the following ways:

• Select a phone number that was synchronized from the identity source.

• Manually enter a phone number that is not in the identity source. These phone numbers are stored only in the Cloud Authentication Service and are not added to the identity source or overwritten during synchronization.

• Clear the phone number and blank out the field. Phone numbers that were synchronized from the identity source remain in the list but are not used during authentication and the user is not presented with SMS OTP or Voice OTP as an authentication option.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list to display the user's details and registered authenticators.

   If the user has not yet been added to the Cloud Authentication Service, you are prompted to click Find users not yet synchronized. This will add them to the Cloud Authentication Service. Exact matches only. For example, this might include new users or users who have not previously authenticated. Click the prompt to find and automatically add the user to the Cloud Authentication Service.

3. In the SMS Phone or Voice Phone field, do one of the following:

   • Click Show synchronized phone numbers and select a number that was synchronized from the identity source.

     Note: Show synchronized phone numbers does not appear if no phone numbers were synchronized from the user's identity source. If this occurs, confirm that phone number attributes were specified in the identity source configuration. Click Users > Identity Sources > Edit.

   • Enter a new phone number.

     Note: To ensure that SMS and Voice OTPs are correctly routed during transmission, the country code is required. RSA recommends using the E.123 international format, +<country_code> <national_number>. For example, +1 555 555 5555 is a U.S. phone number that includes the country code +1. Extensions are not yet supported.

   • Clear the field to prevent SMS OTP or Voice OTP authentication. Make sure no synchronized phone numbers are selected.

4. Click Save.

Note: For users available in Unified Directory, synchronization is not applicable. You can directly edit the phone numbers.

Mark a User for Automatic Bulk Deletion from the Cloud Authentication ServiceMark a User for Automatic Bulk Deletion from the Cloud Authentication Service

You can delete users from the Cloud Authentication Service so they can no longer authenticate through the service or register an authenticator. Deletion removes all information and authenticators associated with the user from the Cloud Authentication Service. The preferred method for deleting users is automatic bulk deletion. You can perform this operation only on disabled users. The disabled users are removed from the Cloud Authentication Service in a two-step process:

1. First, you use the Cloud Administration Console to mark the disabled user for deletion, which changes the user's account status from Disabled to Pending Deletion. You can still view the user's detail information in the Cloud Authentication Service and synchronize the user in the Pending Deletion state.

2. The Cloud Authentication Service automatically deletes all users who have been Pending Deletion for seven days.

For example, if you mark the user for deletion on March 1, the user is automatically deleted from the Cloud Authentication Service on March 8. The user cannot register a device or authenticate to the Cloud Authentication Service while pending deletion or after deletion has taken place.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. Make sure the user is disabled. If necessary, click Disable.

4. Click Delete.

5. When prompted, confirm the delete action.

   The user's status changes to Pending Deletion and the user will be deleted from the Cloud Authentication Service after seven days.

Note: This operation is not available for users in the SCIM Managed and Azure Active Directory (SCIM) identity sources.

After you finish

If a deleted user's account remains enabled on the directory server and is within scope in the identity source filter and root, SecurID will add the user record to the Cloud Authentication Service during the next identity source synchronization. To prevent SecurID from adding the user back to the Cloud Authentication Service, you can do one of the following:

• Disable the user in the directory server.

• Delete the user from the directory server.

• Make modifications to ensure that either the user is not in an organizational unit (OU) that is under the identity source root DN, or the user does not meet the User Search Filter criteria. You can modify either the user or the identity source configuration.

Delete a Single User Immediately from the Cloud Authentication ServiceDelete a Single User Immediately from the Cloud Authentication Service

You can delete a single user from the Cloud Authentication Service and immediately remove all information and devices associated with the user.

RSA recommends that you perform most routine delete operations in bulk, as described in Mark a User for Automatic Bulk Deletion from the Cloud Authentication Service. Bulk deletion offers advantages, such as relieving you from having to manage large numbers of users individually, and giving you the option to undo the delete operation before users are purged from the Cloud Authentication Service. However, certain emergency situations might require you to delete individual users immediately. For example, suppose you are trying to synchronize a record that has the same email address as a slightly different record for the same user that already exists in the Cloud Authentication Service. The user record fails to synchronize and the user cannot authenticate. You must delete the existing record from the Cloud Authentication Service and resynchronize in order to recreate the user record correctly so the user can complete authentication.

Note: This operation cannot be undone, but you can re-add the user by resynchronizing.

Before you begin

You must be a Super Admin to perform this task.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. If the user is not disabled, click Disable.

4. Click Delete Now.

5. When prompted, confirm the delete action.

Note: This operation is not available for users in the SCIM Managed and Azure Active Directory (SCIM) identity sources.

Configure or Disable Automatic User Deletion - Bulk MaintenanceConfigure or Disable Automatic User Deletion - Bulk Maintenance

By default, the Cloud Authentication Service automatically changes the status of all Disabled users from AD and LDAP to Pending Deletion after the users have been disabled for 90 days. You can reconfigure this action to occur after users have been disabled from 30 to 180 days.

Bulk deletion helps prevent inefficiencies that result from processing large numbers of disabled users. If you have a large number of disabled users who are unlikely to use the Cloud Authentication Service again, RSA recommends that you allow the service to bulk delete those users. For example, you might bulk delete all users who were removed from the directory server within a certain timeframe, or all users who are no longer within scope of the synchronization filter.

Note: If you want to prevent automatic bulk deletion, you must disable this feature as described in the following procedure.

For a description of the Pending Deletion status, see Mark a User for Automatic Bulk Deletion from the Cloud Authentication Service.

Before you begin

You must be a Super Admin to perform this task.

Procedure

1. In the Cloud Administration Console, click Users > Bulk Maintenance.

2. If you want to reconfigure the number of days, select a number from the drop-down box and make sure the check box for Automatically change user status from Disabled to Pending Deletion for users who have been disabled for over n days is selected.

   If you want to disable automatic deletion, deselect the check box.

3. Click Save.

4. (Optional) To publish this configuration and immediately activate it, click Publish Changes.

Undelete a User Who is Pending DeletionUndelete a User Who is Pending Deletion

You can prevent a single user from being automatically purged from the Cloud Authentication Service and change the user's status to Disabled by "undeleting" the user within seven days after the user was marked for deletion. Disabled users remain in the Cloud Authentication Service, but they cannot access protected resources or register devices. If the user is enabled in the directory server, you can re-enable the user to authenticate through the Cloud Authentication Service

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. Verify that the user's status is Pending Deletion, and click Undelete.

4. When prompted, confirm the Undelete action.

   The user's status changes from Pending Deletion to Disabled.

Undelete Users Who Are Pending Deletion - Bulk MaintenanceUndelete Users Who Are Pending Deletion - Bulk Maintenance

If you accidentally delete a large number of users, you can restore them to their previous Disabled state before they are purged from Cloud Authentication Service by undeleting the users in a bulk operation. The undelete action applies to all users who were marked for deletion within the number of days you specify. For example, you can undelete all users who were marked for deletion within the past three days.

Disabled users remain in the Cloud Authentication Service, but they cannot access protected resources or register devices. If the user is enabled in the directory server, you can re-enable the user to authenticate through the Cloud Authentication Service.

Procedure

1. In the Cloud Administration Console, click Users > Bulk Maintenance.

2. Complete the field Apply to users who were deleted in the past X days. Users who were marked for deletion within this many days will be undeleted. If you select 7+, all users who have been pending deletion for seven days or more will become Disabled.

3. Click Undelete and confirm the action.

   The users' status is changed to Disabled.

Unlock All OTPs for a User Unlock All OTPs for a User

You must unlock the SecurID Authenticate OTP, SecurID hardware OTP credential, SMS OTP, and Voice OTP after they have been locked for a user. Unlocking these methods makes them available for authentication. Lockout settings are configured at My Account > Company Settings > Sessions & Authentication. Retries for each method are counted separately and each method is locked separately, but all methods are unlocked simultaneously. The lockout counter is cleared after either of the following events occur:

• The user successfully authenticates. For example, if four retries are allowed and the user fails twice and succeeds on the third attempt, the lockout counter is set to 0 because the lockout maximum was not reached. Is this case, only the counter for the method being used is cleared.

• You manually unlock the methods on the Users > Management page. In this case, the lockout counter for all OTP credentials are cleared, even if they were not previously locked.

Note: Only the user's authentication method is locked. The user's Cloud Authentication Service account is not locked or inactivated.

You cannot manually unlock an Emergency Access Code. You must generate a new Emergency Access Code to give the user emergency access.

Before you begin

Super Admins and Help Desk Administrators can perform this task.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. On the user's detail page, click Unlock OTPs.

   A success message appears after the methods are unlocked.

Unlock a User's PasswordUnlock a User's Password

You can unlock a user's password after it has become locked. For more information about lockout settings, see Configure Session and Authentication Method Settings.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. A message indicates that the user's password is locked. Click Unlock.

   The message Password successfully unlocked appears.

Generate a Registration CodeGenerate a Registration Code

You can generate a Registration Code for users to register with the SecurID app/SecurID Authenticator app for iOS and Android, or the SecurID Authenticate app for Windows 10. This method is intended for users who cannot obtain a Registration Code from any other source.

Note: You cannot generate a code for a user who already has a registered iOS, Android, or Windows device.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. From the drop down list, select the app the user has.

4. Click Generate Code. The code displayed is valid for five minutes, is for one-time use, and cannot be viewed again after you leave the User Management page. The user's Organization ID also appears.

5. Provide the code and the Organization ID to the user in a secure manner.

Clear a Hardware OTP Credential PIN for a UserClear a Hardware OTP Credential PIN for a User

You can clear the PIN for a hardware OTP credential if the user has forgotten the PIN or the PIN is compromised. Before using the hardware OTP credential, the user must go to My Page and set a new PIN.

Before you begin

Super Admins and Help Desk Administrators can perform this task.

Procedure

1. In the Cloud Administration Console, click Users > Management.

2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

3. On the user's detail page, the hardware OTP credentials are listed by name or serial number. Click the Edit icon next to the hardware authenticator.

4. Click Clear PIN.

5. Click Save or Delete, and then click Close.

   A success message appears.