Scribd
Upload
74 views72 pages

RSA_Authenticator_6.2_Admin_Guide

Uploaded by

jonyonke
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views72 pages

RSA_Authenticator_6.2_Admin_Guide

Uploaded by

jonyonke
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

RSA Authenticator 6.

2 for Windows

Administrator Guide

Version: 6.2
Date: February 2024
RSA Authenticator 6.2 for Windows Administrator Guide

Knowledge Base
RSA Community at https://community.rsa.com contains a knowledge base that answers common questions and provides solutions to
known problems, product documentation, community discussions, and case management.

Trademarks
RSAConference logo, RSA, and other trademarks are trademarks of RSA Security LLC or its affiliates ("RSA"). For a list of RSA
trademarks, go to https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarks are trademarks of their respective owners.

License Agreement
© 2024 RSA Security LLC or its affiliates. All rights reserved. This document is for informational purposes only. RSA MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. This information is provided to help guide your authorized use of
products you license; it is not your agreement. Your use of products licensed under your license agreement is governed by the terms and
conditions of that agreement. In the case of any conflict between this information and your agreement, the terms and conditions of your
agreement control.

Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party
software in this product may be viewed on the product documentation page on RSA Community. By using this product, a user of this
product agrees to be fully bound by the terms of the license agreements.

Note on Encryption Technologies


This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies,
and current use, import, and export regulations should be followed when using, importing, or exporting this product.

Distribution
Use, copying, and distribution of any RSA Security LLC or its affiliates ("RSA") software described in this publication requires an
applicable software license. RSA believes the information in this publication is accurate as of its publication date. The information is
subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." RSA MAKES NO REPRESENTATIONS OR WARRANTIES OF
ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

2
RSA Authenticator 6.2 for Windows Administrator Guide

Table of Contents
Preface 8

About This Guide 8

RSA Support and Service 8

Support for RSA Authentication Manager 8

Support for the Cloud Authentication Service and Identity Routers 8

RSA Ready Partner Program 8

Chapter 1: RSA Authenticator 6.2 for Windows 9

Terminology Changes 9

Authentication Manager On-Prem Server OTP Management Features 10

Cloud-based Multi Factor Credential Management Features 11

DS100 Features 11

Application Security Features 11

OTP Credentials Security on a Computer 11

Next OTP Retrieval for SecurID OTP 12

Show or Mask PIN 12

Credential Database Copy Protection RSA Authenticator 6.2 for Windows 12

Clock Settings 12

Support for Visually Impaired Users 12

Chapter 2: Installing RSA Authenticator for Windows 12

System Requirements 13

Install RSA Authenticator 6.2 for Windows 13

Deploy RSA Authenticator 6.2 for Windows Using DISM 13

DISM Installation Package 14

Deploy RSA Authenticator on One Computer 14

Deploy RSA Authenticator on Multiple Computers 14

Upgrading to RSA Authenticator 15

Upgrade from RSA SecurID Authenticate App 3.6.0 to RSA Authenticator 6.2 for Windows 15

Upgrade from RSA Authenticator 6.x to RSA Authenticator 6.2 15

Migrating Existing SecurID OTP Credentials from RSA SecurID Software Token 5.0 to RSA Authenticator 6.2 15

Uninstall RSA Authenticator 16

3
RSA Authenticator 6.2 for Windows Administrator Guide

Chapter 3: Provisioning SecurID OTP Credentials 16

SecurID OTP Credential 17

SecurID OTP Credential Types 17

Provisioning and Distribution Methods 17

Dynamic Seed Provisioning 17

File-Based Provisioning (SDTID Files) 18

Provisioning Software Token Using the Security Console 18

Provisioning Software Tokens Using the Self-Service Console 18

Windows User Security Identifier (SID) 18

Software Token Configuration 19

Device Binding 19

Binding ID 19

SecurID OTP Passwords 20

Authentication Procedures 20

Authentication Procedures for SecurID OTP 20

OTP Authentication (PINPad Style) 20

OTP Authentication (Fob-Style) 21

SecurID OTP-Only Authentication 21

Chapter 4: Multifactor Authentication 22

Using the RSA Authenticator for Cloud-Managed Multifactor Authentication 22

Enable Notifications on User Devices 22

Registering Software Authenticators for Multifactor Authentication 22

Registration Methods 22

Authenticate OTP Credential Re-Registration 23

Registration with Multiple Authenticators 23

Chapter 5: Managing RSA Authenticator for Windows 24

Home 24

Types of Credentials 25

Authenticate OTP Credential 25

SecurID OTP Credential 25

RSA DS100 OTP Credential 27

Add SecurID OTP Credential 27

4
RSA Authenticator 6.2 for Windows Administrator Guide

Import a SecurID OTP Credential Using the CT-KIP URL 27

Import a SecurID OTP Credential from a CT-KIP URL in an Email 28

Import a SecurID OTP Credential from a SDTID File 28

Import a SecurID OTP Credential from SDTID file from an Email Attachment or Locally Stored File 28

Import a SecurID OTP Credential from Non-Default Directory 29

Import a SecurID OTP Credential Automatically from a Default Directory 29

Import a SecurID OTP Credential automatically using CT-KIP. 30

Migrating Existing SecurID OTP Credentials from RSA SecurID Software Token 5.0 to RSA Authenticator 6.2 31

Add Authenticate OTP Credential 32

MFA Credentials PIN Management 34

Set Authenticate OTP PIN 35

Change Authenticate OTP PIN 35

View Authenticate OTP 35

Reset Authenticate OTP PIN 35

Manage Credentials 36

Rename a Credential Card 36

Delete a Credential 36

View Credential Card Information 36

Obtaining the Next OTP 37

Disable Next OTP Mode 37

Settings 37

Device Password 37

Set a Device Password 37

Change the Device Password 38

Remove Device Password 38

Clear All SecurID OTP Credentials and Device Password 38

About 38

Export Logs 38

Chapter 6: RSA DS100 39

Prerequisites 40

Software Components 40

RSA FIDO Management Service for RSA DS100 40

5
RSA Authenticator 6.2 for Windows Administrator Guide

What a User Needs to Do 41

High Level RSA DS100 Deployment Steps 41

Deploy the RSA FIDO Management Service 41

RSA FIDO Management Service Install (via GUI) 41

RSA FIDO Management Service Install (via command line) 42

Enable DS100 Registration in MyPage 42

End User RSA DS100 Registration 43

Register a Credential on the RSA DS100 Using the My Page Self-Service Portal 43

Change the RSA DS100 OTP PIN from My Page 44

Authenticating Using RSA DS100 44

Authenticate Using RSA DS100 OTP Credential to a Web Application 45

Authenticate Using RSA DS100 OTP Credential to a VPN application 45

Managing an RSA DS100 45

View RSA DS100 OTP Credential in RSA Authenticator 46

Change the PIN for RSA DS100 OTP Credential from RSA Authenticator 46

Deleting RSA DS100 OTP Credential 46

Deleting OTP Credentials 46

Set FIDO PIN 47

Change FIDO PIN 47

Reset FIDO to Factory Defaults 48

Update RSA DS100 Firmware 48

Chapter 7: Group Policy Template 48

RSA Authenticator Group Policy Object Template 49

SecurID Token Settings 49

Installing Group Policy Object Template 50

Installing the RSA Authenticator Group Policy Object Template 50

Install the Template on a Windows Computer 50

Install the Template on the Domain Controller 50

Defining the Policy Settings 51

Accessing the Group Policy Object Template 51

Access the Template on a Domain Controller 51

Access the Template on a Windows Computer 51

6
RSA Authenticator 6.2 for Windows Administrator Guide

Policy Settings 52

Defining Software Token Settings 52

Allow only one AM OTP credential 52

Do not allow users to delete SecurID OTP credentials 53

Do not allow users to change SecurID OTP credential nickname 55

Do not allow users to configure the device password 56

Days before SecurID OTP credential expiration notification is displayed 57

Specify a SecurID OTP credential renewal URL 59

Specify a CT-KIP URL to use for downloading SecurID OTP Credential 60

User SID for CT-KIP activation code Procedure 61

Exclude RSA SecurID Software Token 5.0 GPO Settings 62

Unsupported Features 64

Chapter 8: Troubleshooting 64

Installation Issues 65

Troubleshooting Credentials Issues 65

General SecurID OTP Issues 67

Troubleshooting Authenticate OTP Registration Issues 67

Troubleshooting View Authenticate OTP Issues 67

Troubleshooting AM Authentication Issues 67

Troubleshooting CAS Authentication Issues 68

Information Messages 68

Troubleshooting Migration Issues 68

Troubleshooting Upgrade Issues 69

DS100 Troubleshooting 69

Frequently Asked Questions - RSA DS100 71

7
RSA Authenticator 6.2 for Windows Administrator Guide

Preface

About This Guide


This guide is for administrators who manage RSA Authentication Manager and the Cloud Authentication Service, and who deploy the
RSA Authenticator app to their users. For a complete list of documentation, see RSA Community.

RSA Support and Service


You can access community and support information on RSA Community at https://community.rsa.com. It contains a knowledgebase that
answers common questions and provides solutions to known problems, product documentation, community discussions, and case
management.

Support for RSA Authentication Manager


Before you call Customer Support for help with the RSA Authentication Manager appliance, have the following information available:

l Access to the RSA Authentication Manager appliance.


l Your license serial number. To find this number, do one of the following:
l Look at the order confirmation e-mail that you received when you ordered the product. This e-mail contains the license
serial number.
l Log on to the Security Console, and click License Status. Click View Installed License.
l The appliance software version. This information is located in the top, right corner of the Quick Setup, or you can log on to the
Security Console and click Software Version Information.

Support for the Cloud Authentication Service and Identity Routers


If your company has deployed identity routers and uses the Cloud Authentication Service, RSA provides you with a unique identifier
called the Customer Support ID. This is required when you register with RSA Customer Support. To see your Customer Support ID, sign
in to the Cloud Administration Console and click My Credential > Company Settings.

RSA Ready Partner Program


The RSA Ready Partner Program provides information about third-party products that have been certified to work with RSA products,
such as virtual private network (VPN) and remote access servers (RAS). It includes Implementation Guides with step-by-step instructions
and other relevant information. For more information, see RSA Integrations.

Preface 8
RSA Authenticator 6.2 for Windows Administrator Guide

Chapter 1: RSA Authenticator 6.2 for


Windows
Terminology Changes 9

Authentication Manager On-Prem Server OTP Management Features 10

Cloud-based Multi Factor Credential Management Features 11

DS100 Features 11

Application Security Features 11

OTP Credentials Security on a Computer 11

Next OTP Retrieval for SecurID OTP 12

Show or Mask PIN 12

Credential Database Copy Protection RSA Authenticator 6.2 for Windows 12

Clock Settings 12

Support for Visually Impaired Users 12

About RSA Authenticator

The RSA Authenticator for Windows is an all-new, modern, and intuitive authentication experience for Microsoft Windows users. It is a
desktop application that combines the best of both classic SecurID OTP and modern, cloud-based MFA authentication methods to better
support mixed user populations and facilitates migration from on-premise server (e.g. Authentication Manager) to either hybrid (on-
premise and cloud) or cloud-only deployments that leverage the RSA Cloud Authentication Service (CAS).

RSA Authenticator for Windows also supports managing both the RSA DS100 hardware authenticator and any vendor's FIDO2 Security
Key. The DS100 is a cloud-managed, multi-functional hardware authenticator that supports both RSA Authenticator one-time password
(OTP) and passwordless FIDO2 authentication in a single device. With dynamic seeding and self-registration, you can secure users as
they transition from OTP to FIDO2 without having to change their authenticator. The DS100 authenticator supports OTP generation
when unplugged from a device to support high security environments without USB connectivity.

Terminology Changes
The following table describes the differences in the terminologies used in the app versions.

RSA SecurID Software Token 5.x/RSA SecurID SecurID Authenticator 6.0.1 and
Authenticate 3.6.0 Later

SecurID Authenticator/RSA
Application Name RSA SecurID Software Token/RSA SecurID Authenticate
Authenticator

User interface labels, messages,


Tokencode AM OTP/SecurID OTP
and values

Chapter 1: RSA Authenticator 6.2 for Windows 9


RSA Authenticator 6.2 for Windows Administrator Guide

RSA SecurID Software Token 5.x/RSA SecurID SecurID Authenticator 6.0.1 and
Authenticate 3.6.0 Later

AM OTP Credential/SecurID OTP


Token
Credential

Import Token Add Credential

Next Code Next OTP

Device Serial Number Binding ID

Company ID Organization ID

Account Credential

Authenticate Tokencode CAS OTP/Authenticate OTP

Pull down to check for authentication Click to refresh authentication

Register Add Credential

View Tokencode View OTP

Authentication Manager On-Prem Server OTP


Management Features
The RSA Authenticator supports the following features for managing Authentication Manager (AM) OTP credentials:

l Multiple Credentials Support. Users can import up to 25 SecurID OTP credentials per user. A single Authentication Manager
server can provision three SecurID OTP credentials to an individual user. SecurID OTP credentials can be provisioned to the
same authenticator by different organizations.

l Credential Nicknames. Credential names are called "nickname" in Authentication Manager. The administrator can use the
Group Policy Settings (GPO) template to allow or deny users the permission to edit the credential names. Administrator can
optionally set a nickname when configuring a SecurID OTP credential record. If a nickname is not set, SecurID OTPs are
imported to the app with default names such as the serial numbers of those credentials. The user can rename the SecurID OTP
credentials after importing them to the app. If you use the Self-Service provisioning with Authentication Manager 8.2 or later, you
can allow users to set a nickname when they request an SecurID OTP. The SecurID OTP is imported into the app with the user-
supplied nickname.

l Delete Credential. Users can delete any SecurID OTP credential if they have permission to delete. Users who delete all their
credentials must contact the IT administrator to send the Self-Service Console URL for raising request for new credentials.

l Device Password. Users can secure their SecurID OTP credentials by configuring a device password in RSA Authenticator .
For more information, go to Device Password.

l Credential Expiration Warning. SecurID OTP credentials expire on the first second of the credential expiration date (00:00:00
UTC). To ensure that the user always has a working SecurID OTP credential installed, the app displays a warning indicating how
many days remain before the credential expires, starting 30 days (about 4 and a half weeks) before the expiration date. The user
can contact the administrator or use a Self-Service (if available) to request a replacement credential.

l You will be able to easily extend the lifetime of expired SecurID OTPs in a way that is transparent to users. You use the Security

10 Chapter 1: RSA Authenticator 6.2 for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

Console to extend a credential’s availability.

l Users will be able to replace credential with the same serial number without deleting the credential first.

Note: For more information about managing SecurID OTP credential configuration, refer to the Chapter 7: Group Policy Template on
page 48 section.

Cloud-based Multi Factor Credential Management


Features
Users can import up to 10 could-based credentials per user. Authenticate OTP credentials can be provisioned to the same user by
different organizations.

l Rename a Credential Card. Users can rename a credential card in RSA Authenticator .

l Delete a Credential. Users can delete a Authenticate OTP credential in the app. When deleted, the credential gets deleted from
both the app and CAS.

l PIN Management. If the CAS Server is configured to require PIN to view a Authenticate OTP, then the users can manage the
PIN for Authenticate OTP credentials.

DS100 Features
The DS100 is a cloud-managed, multi-functional hardware authenticator.

l It supports both SecurID one-time password (OTP) and passwordless FIDO2 authentication in a single device.

l It provides dynamic seeding and self- registration and secures users as they transition from OTP to FIDO2 without having to
change their authenticator.

l It supports OTP generation when unplugged from a computer to support high security environments where USB connectivity is
prohibited.

Application Security Features


RSA Authenticator includes the following security features.

OTP Credentials Security on a Computer


After an OTP credential from either the Authentication Manager server or Cloud Authentication Service (CAS) is added to the
Authenticator app, the credential is protected by encrypting the app's credentials database based on local computer unique
characteristics and also encrypted with the Microsoft Data Protection API. If an unauthorized user or malware copies the credential
database to another machine or device, the credential database cannot be unencrypted by the attacker the app appears to not have any
credentials and cannot generate OTPs or push authentication events. If an authorized owner is issued a new computer, AM OTP
credentials must be reissued and new CAS credentials must be registered - typically through the CAS My Page self-service portal.

Chapter 1: RSA Authenticator 6.2 for Windows 11


RSA Authenticator 6.2 for Windows Administrator Guide

Next OTP Retrieval for SecurID OTP


Authentication Manager can detect when a user provides multiple incorrect SecurID OTPs (formerly passcodes) in succession. In this
situation, the user is prompted to enter the next OTP to authenticate. This requirement helps ensure that the OTP is being generated by
an OTP credential in the possession of the authorized owner.

In the app, a user can click the Next OTP icon (Right arrow which is present beside the credential displayed) to eliminate the need to wait
until the next interval.

Show or Mask PIN


By default, PIN characters are masked (displayed as bullet symbols) as the user enters them. The user can click on the eye icon to show
or hide the masked PIN characters.

Credential Database Copy Protection RSA Authenticator 6.2 for


Windows
Uses the following data protection mechanisms to tie the credential database to a specific computer:

l Binding the database to the computer’s primary hard disk drive.

l Implementing the Windows Data Protection API (DPAPI) These mechanisms ensure that an unauthorized user cannot move the
credential database to another computer and access the credentials.

Clock Settings
RSA Authenticator and RSA Authentication Servers rely on Coordinated Universal Time (UTC). The time, date, and time zone settings
on the local computer and on the computer running Authentication Manager must always be correct in relation to UTC. If the time settings
on a user’s computer change significantly, they will no longer be synchronized with the time settings on the Authentication Manager
server or CAS, and the user may not be able to authenticate. If this happens, the user must contact the server or CAS administrator to
have the OTP resynchronized.

Instruct users to verify that the time, time zone, and Daylight-Saving Time (DST) settings on their computer are correct before they use
RSA Authenticator . Users crossing time zones with their computer need to change only the time zone to reflect the correct local time.

Support for Visually Impaired Users


RSA Authenticator for Windows supports the use of screen readers for visually impaired users.

Chapter 2: Installing RSA Authenticator


for Windows
System Requirements 13

12 Chapter 2: Installing RSA Authenticator for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

Install RSA Authenticator 6.2 for Windows 13

Deploy RSA Authenticator 6.2 for Windows Using DISM 13

DISM Installation Package 14

Deploy RSA Authenticator on One Computer 14

Deploy RSA Authenticator on Multiple Computers 14

Upgrading to RSA Authenticator 15

Upgrade from RSA SecurID Authenticate App 3.6.0 to RSA Authenticator 6.2 for Windows 15

Upgrade from RSA Authenticator 6.x to RSA Authenticator 6.2 15

Migrating Existing SecurID OTP Credentials from RSA SecurID Software Token 5.0 to RSA Authenticator 6.2 15

Uninstall RSA Authenticator 16

System Requirements
Minimum System Requirements

l 350 MB of free disk space

l 8 GB RAM

l TCP/IP networking

Supported Operating Systems

You can install RSA Authenticator on Microsoft Windows 10 1903 or later.

Install RSA Authenticator 6.2 for Windows


A user can install RSA Authenticator directly onto a Windows device by downloading it from the Microsoft Store; the RSA Authenticator
6.2 app has a new icon and it looks as following in the Microsoft Store:

Note: RSA Authenticator 6.x for Windows can co-exist with RSA SecurID Software Token 5.0.x

Deploy RSA Authenticator 6.2 for Windows Using


DISM
During a typical registration of a credential or DS100, a user can install RSA Authenticator directly from the Microsoft Store. If an

Chapter 2: Installing RSA Authenticator for Windows 13


RSA Authenticator 6.2 for Windows Administrator Guide

organization has blocked its users from installing applications from the Microsoft Store, then a Windows administrator will need to deploy
RSA Authenticator 6.2 via Microsoft Deployment Image Servicing and Management (DISM). This is also referred to sideloading the
application. DISM is the Windows OS command line tool. An administrator can use DISM to deploy Microsoft Store apps to one or
multiple computers.

Download the sideloading installation package from RSA Community (https://community.rsa.com/s/product-


download/a9G4u000000u013EAA/rsa-authenticator-620-for-windows) and then use DISM command to deploy the authenticator.

DISM Installation Package


RSA Authenticator DISM installation package, RSA_Authenticator_6.2.0_Microsoft_Windows_Kit.zip, contains the following:

l RSA Authenticator package with the Dependencies (MSIX Bundle)

Note: The Device Definition File for the AM Server and Group Policy Templates for end-user computers are available on RSA
Community.

Deploy RSA Authenticator on One Computer

1. Extract RSA_Authenticator_6.2.0_Microsoft_Windows_Kit.zip to a folder on the computer.

2. Go to Command Prompt, right-click it and then select Run as administrator from the Windows Start menu, .

3. Navigate to the directory that contains the extracted files. (Otherwise, provide the full path name to the directory on the
command line.)

4. Enter the following command on a single line. Remove any line breaks that may appear when you copy and paste it.

l DISM /Online /Add-ProvisionedAppxPackage /PackagePath:de9714634227403eb3263cbe116f94ea.msixbundle


/DependencyPackagePath:Microsoft.NET.Native.Framework.2.2_2.2.29512.0_x64__8wekyb3d8bbwe.appx
/DependencyPackagePath:Microsoft.NET.Native.Runtime.2.2_2.2.28604.0_x64__8wekyb3d8bbwe.appx
/DependencyPackagePath:Microsoft.VCLibs.140.00_14.0.33519.0_x64__8wekyb3d8bbwe.appx
/LicensePath=de9714634227403eb3263cbe116f94ea_License1.xml

Deploy RSA Authenticator on Multiple Computers

1. Extract RSA_Authenticator_6.2.0_Microsoft_Windows_Kit.zip to a folder that is accessible to all computers where the app
will be deployed. For example, a network share.

2. Using your preferred method to execute Windows commands on remote computers, enter the following command on a single
line as an administrator. Remove any line breaks that may appear when you copy and paste it.

l DISM /Online /Add-ProvisionedAppxPackage /PackagePath:de9714634227403eb3263cbe116f94ea.msixbundle


/DependencyPackagePath:Microsoft.NET.Native.Framework.2.2_2.2.29512.0_x64__8wekyb3d8bbwe.appx
/DependencyPackagePath:Microsoft.NET.Native.Runtime.2.2_2.2.28604.0_x64__8wekyb3d8bbwe.appx
/DependencyPackagePath:Microsoft.VCLibs.140.00_14.0.33519.0_x64__8wekyb3d8bbwe.appx
/LicensePath=de9714634227403eb3263cbe116f94ea_License1.xml

14 Chapter 2: Installing RSA Authenticator for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

Upgrading to RSA Authenticator


Upgrade from RSA SecurID Authenticate App 3.6.0 to RSA
Authenticator 6.2 for Windows
If the user installed RSA SecurID Authenticate App 3.6.0 on their machine, they will get Update option from Microsoft Store. The user
can upgrade their existing RSA SecurID Authenticate 3.6.0 to RSA Authenticator 6.2 by clicking Update in Microsoft store. If an
administrator is required to deploy RSA Authenticator using DISM Commands, see Deploy RSA Authenticator 6.2 for Windows Using
DISM on page 13.

On a successful upgrade to RSA Authenticator , all credentials present in the RSA SecurID Authenticate 3.6.0 app will be available in
RSA Authenticator . To continue getting push notifications after upgrade, the user must relaunch the authenticator and must be
connected to the internet with access to CAS.

Note: If AuthenticateOTP credentials are protected with a PIN in RSA SecurID Authenticate 3.6.0, the user must set the PIN to view
OTP in RSA Authenticator .

Upgrade from RSA Authenticator 6.x to RSA Authenticator 6.2


To upgrade from RSA Authenticator 6.x to RSA Authenticator 6.2:

l A user can go to and download the app from Microsoft Store.

or

l The administrator can deploy RSA Authenticator 6.2 using DISM commands. To access the DISM commands, see Deploy RSA
Authenticator 6.2 for Windows Using DISM on page 13.

On a successful upgrade, all the credentials presented in 6.0.1, 6.1.1, 6.1.2 and 6.1.3 will be automatically migrated to RSA Authenticator
6.2. To continue getting push notifications after upgrade, the user must relaunch the authenticator.

Migrating Existing SecurID OTP Credentials from RSA SecurID Soft-


ware Token 5.0 to RSA Authenticator 6.2
Every time the RSA Authenticator 6.2 app is launched, it attempts to automatically migrate SecurID OTP credentials present in the RSA
SecurID Software Token 5.0 app if they are not present in the Authenticator 6.x app. All AM OTP credentials are migrated up to the RSA
Authenticator maximum limit of 25 SecurID OTP credentials.

If a device password has been set in either Software Token 5.x or RSA Authenticator 6.x, the user is prompted to enter it during the
migration process and must do so to complete migration.

RSA Authenticator supports a maximum of 25 SecurID OTP credentials which includes both the credentials which are already present in
Authenticator 6.x and the credentials migrated from RSA SecurID Software Token 5.0. After reaching the maximum number of AM
credentials, if a user wants to add additional SecurID OTP credentials, they need to delete an existing SecurID OTP credential from 6.x.

The Allow only one SecurID OTP Credential GPO policy configuration is ignored during migration:

If the Allow Only one SecurID OTP Credential GPO policy is enabled, RSA Authenticator attempts to migrate credentials of RSA
SecurID Software Token during the launch of application. In the future, if a user tries to import new SecurID OTP credentials after

Chapter 2: Installing RSA Authenticator for Windows 15


RSA Authenticator 6.2 for Windows Administrator Guide

migration and ‘Allow Only one SecurID OTP Credential’ GPO policy is enabled, all the SecurID OTP credentials will be deleted, and
one new SecurID OTP credential is added to RSA Authenticator .

Note:
- On every launch of RSA Authenticator , if a new or not migrated AM OTP credential is present in RSA SecurID Software Token 5.0,
then it will be attempted to migrate to RSA Authenticator .
- From 6.2 onwards, RSA Authenticator supports Migration of RSA SecurID Software Credentials with Automation as well, provided,
they are not having SINGLEDATABASE enabled.

Uninstall RSA Authenticator


If the app was installed via the Microsoft Store, users can uninstall it by:

l Right-clicking the application from the Start menu and selecting Uninstall.

l Going to Start > Settings > Apps, clicking on the app to select it, and then clicking the Uninstall button.

If the app installed through DISM, administrators can use PowerShell command to uninstall the app from Microsoft Windows. Find the
usage of DISM Command to uninstall the app installed using DISM.

Uninstall RSA Authenticator using DISM

1. Run Powershell as an Administrator.

2. Run the Get-AppxProvisionedPackage –online command to get the list of apps installed.

3. From the apps list, search for RSASecurityLLC.RSASecurIDAuthenticate in the Display Name.

4. Copy the PackageName of RSASecurityLLC.RSASecurIDAuthenticate and use it in step 5.

5. To remove RSA Authenticator for all users, run the following command:

Remove-AppxProvisionedPackage -PackageName <PackageName> -Online –AllUsers

Note: In the remove command, replace <PackageName> with package name from step 4.

Chapter 3: Provisioning SecurID OTP


Credentials
SecurID OTP Credential 17

Provisioning and Distribution Methods 17

Software Token Configuration 19

Authentication Procedures 20

16 Chapter 3: Provisioning SecurID OTP Credentials


RSA Authenticator 6.2 for Windows Administrator Guide

SecurID OTP Credential


A SecurID OTP credential, when added on RSA Authenticator , generates 6-digits or 8-digits random numbers, called OTP (one-time
passwords), at regular intervals. Users can use an OTP, in combination with a PIN, to access resources protected by RSA Authentication
Manager, such as Virtual Private Networks (VPNs) and/or web applications.

Before provisioning and deploying SecurID OTP credentials, the administrator must decide:

l How users will authenticate. See AM OTP Credential Types.

l Whether to generate SDTID files, or CT-KIP URL links. See Provisioning and Distribution Methods.

l Whether to bind each SecurID OTP to a specific Microsoft Windows computer or leave the default binding (device class GUID.)
See Device Binding.

SecurID OTP Credential Types


RSA Authenticator supports the following SecurID OTP credential types for user authentication:

l PIN integrated with a SecurID OTP: The user enters a SecurID PIN in the Enter PIN field on the credential in the Home page
of the Authenticator app to generate an OTP (one-time password). The user authenticates by entering the OTP in the protected
resource.

l PIN followed by a SecurID OTP: The user authenticates by entering a SecurID PIN in the protected resource, followed by the
current OTP displayed by the app. The user experience is like authenticating with a hardware fob that displays OTPs.

l PINless: The user authenticates by entering the current OTP displayed by the app. PIN is not required.

Note: Because OTP-only authentication does not use two-factor authentication, RSA strongly recommends that you require the
standard logon password in addition to the OTP. For more information about the proper use of SecurID OTP credential that do not
require a PIN, see the RSA SecurID Software Token Security Best Practices Guide.

Provisioning and Distribution Methods


To provision a SecurID OTP credential, a supported version of the Authentication Manager server is required. Authentication Manager
supports two methods for deploying SecurID OTP credentials:

l Security Console. An administrator initiates the process of assigning and distributing the user’s OTP using the Security
Console, a web-based administrative console.

l Self-Service Console. An administrator configures Self-Service provisioning and allows end users to create an account. A user
then enrolls to use Self-Service and requests an OTP, using a web-based Self-Service Console. Self-Service provisioning is
included with the Authentication Manager Enterprise Server license. See RSA Authentication Manager documentation on
RSA Community.

An administrator can use any of the following methods for distributing SecurID OTP credentials to the users of RSA Authenticator .

Dynamic Seed Provisioning


Dynamic seed provisioning uses the Cryptographic Token Key Initialization Protocol (CT-KIP) to eliminate the need for an OTP

Chapter 3: Provisioning SecurID OTP Credentials 17


RSA Authenticator 6.2 for Windows Administrator Guide

distribution file (SDTID file).

Note: SecurID strongly recommends using dynamic seed provisioning because the CT-KIP process helps prevent the potential
interception of the OTP’s seed. Only use SDTID if your company policy dictates that the RSA Authenticator apps cannot connect to the
Internet or that a CT-KIP server cannot be set up.

Administrators can deliver a dynamically provisioned OTP to the RSA Authenticator app by sending an email message containing a
custom CT-KIP URL hyperlink to a user's email. The user clicks the URL link in the email or enters the link in the app to import the
SecurID OTP credential.

To support dynamic seed provisioning (CT-KIP) on RSA Authenticator device, you must make sure that the Authentication Manager
server meets the App Transport Security (ATS) requirements.

File-Based Provisioning (SDTID Files)


Authentication Manager can generate SecurID OTP (SDTID) files. SecurID strongly recommends protecting SDTID files with an OTP file
password as part of the provisioning process.

To deliver an OTP, you send an email with an SDTID file attachment to the email client on the user's device.

If you send password-protect file to the user, RSA recommends sending the password separately, using a secure channel and best
practices for communicating sensitive data.

Provisioning Software Token Using the Security Console


Authentication Manager includes the web-based Security Console that allows you to provision and distribute SecurID OTP Credentials.
An Authentication Manager Super Admin must create a software token profile. The profile specifies software token configuration and
distribution options.

If you plan to use several provisioning methods (for example, CT-KIP), create separate software token profiles for each method so that
you do not have to edit the profile to change the distribution method.

When you add a software token profile, use RSA Authenticator for Windows 6.2.x device type Desktop-Windows-SecurID-Authenticator-
swtd.xml device definition file) for RSA Authenticator for Microsoft Windows.

For more information, see the RSA Authentication Manager Administrator's Guide on the RSA Authentication Manager Documentation
page on RSA Community.

Provisioning Software Tokens Using the Self-Service Console


RSA Authentication Manager 8.2 or later includes an RSA Self-Service. The Self-Service Console provisioning component allows users
to request SecurID OTP credentials (formerly tokens), including software credentials.

For more information, see the Help topic "RSA Self-Service Overview" on the RSA Authentication Manager Documentation page on RSA
Community.

Windows User Security Identifier (SID)


With RSA Authenticator 6.2 for Windows, the administrator can bind an SecurID OTP credential to a Windows user security identifier
(user SID). This allows the user to import a SecurID OTP credential into a supported OTP storage device on any computer in and Active
Directory domain. Unlike binding a SecurID OTP to a device serial number, no interaction with the desktop application is required to
obtain the binding information. You can use a third-party utility to obtain the SIDs of user accounts. For example, the Microsoft
Sysinternals suite includes PsTools, which contains the PsGetSid utility. PsGetSid allows you to display the SIDs of user accounts. To
download PsTools, access Microsoft TechNet and search on “Sysinternals suite".

18 Chapter 3: Provisioning SecurID OTP Credentials


RSA Authenticator 6.2 for Windows Administrator Guide

Software Token Configuration


RSA strongly recommends using the following configuration for software tokens:

l Device binding

l Password protection for SDTID Files

Device Binding
When provisioning a SecurID OTP (Software Token) record in Authentication Manager, bind the SecurID OTP by configuring an SecurID
OTP extension attribute (DeviceSerialNumber). Binding allows installation only on a device or class of devices with a matching device ID.
RSA strongly recommends binding all SecurID OTP to a device class GUID.

Microsoft Windows Computer Class GUID (global unique identifier)

SecurID OTPs (Software Tokencode) provisioned for Microsoft Windows computer in Authentication Manager 8.2 or later are bound to a
device class GUID (globally unique identifier). This option allows the user to import a SecurID OTP to any Microsoft Windows computer
that is supported by the RSA Authenticator . It prevents the SecurID OTP from being imported to other device platforms or to desktops or
laptops running a RSA Authenticator .

The Microsoft Windows computer class GUID is {b57ed41b-cd67-4bac-85ab-19722fcd4498}.

Binding ID
A binding ID (called a device ID / Device Serial Number in previous versions of the Authenticator app) is a unique, 24-character
hexadecimal string generated by the RSA Authenticator running on a specific Microsoft Windows computer.

You bind a SecurID OTP when configuring it in Authentication Manager. The user must first provide you with the binding ID, which is
generated when the RSA Authenticator for Microsoft Windows is installed. To send the binding ID, the user must have an email account
configured on the device.

You must provide users with an email address. Instruct users to treat the binding ID as sensitive information and to use a secure channel
to deliver it to you.

To view binding ID, a user can click Settings to view the device information.

Determine Your Device Microsoft Windows Binding Option

Use the following information to decide which binding option best suits your requirements.

Binding
Comments
Option

Binding The SecurID OTP credential can only be used by the app running on the device with the specified binding ID. You must
ID obtain the binding ID from the user before configuring the AM record.

The AM OTP can be imported on any supported RSA Authenticator for Windows. It helps prevent importing SecurID OTP
Device to a computer or mobile device other than Microsoft Windows. You can bind all SecurID OTPs to the same device class.
Type For RSA Authentication Manager 8.2 or later, the Microsoft Windows computer class GUID eliminates the need to
configure a token extension attribute since the device class GUID is the default binding entry.

Chapter 3: Provisioning SecurID OTP Credentials 19


RSA Authenticator 6.2 for Windows Administrator Guide

SecurID OTP Passwords


SDTID files should be protected during transit by assigning a unique password in your provisioning server. The user must enter the
password in the RSA Authenticator app to import the SecurID OTP.

Assigning a unique SecurID OTP password can help prevent unauthorized access. However, if the software SecurID OTP does not use
device binding, the password does not prevent a user who has access to both the SDTID file and the password from installing the
SecurID OTP on multiple devices. For this reason, RSA strongly recommends using both device binding and password protection for
SDTID files.

Authentication Procedures
Authentication Procedures for SecurID OTP
This section describes three user authentication options. You can provide the appropriate procedures for your users. Instructions for
users are also provided at https://help.rsa.com/Windows/EN_US/index.html.

OTP Authentication (PINPad Style)


The following procedure shows how to authenticate to a VPN client with a PIN Pad-style SecurID OTP (PIN integrated with OTP).

1. Enter the PIN in the RSA Authenticator and click Submit.

2. View the OTP (PIN integrated with the AM OTP).

3. Enter the OTP in the protected resource (for example, a VPN).

20 Chapter 3: Provisioning SecurID OTP Credentials


RSA Authenticator 6.2 for Windows Administrator Guide

OTP Authentication (Fob-Style)


The following procedure shows how to authenticate to a VPN client with a fob-style SecurID OTP (PIN entered in protected resource,
followed by OTP).

1. View the SecurID OTP in the RSA Authenticator .

2. Enter the PIN in the protected resource (for example, a VPN). The PIN in this example is 13248675.

3. Enter the OTP to the right of the PIN in the protected resource (for example, a VPN).

SecurID OTP-Only Authentication


The following procedure shows how to authenticate to a VPN client with a SecurID OTP only. No PIN is required.

1. View the SecurID OTP in the RSA Authenticator .

2. Enter the SecurID OTP in the protected resource (for example, a VPN).

Chapter 3: Provisioning SecurID OTP Credentials 21


RSA Authenticator 6.2 for Windows Administrator Guide

Chapter 4: Multifactor Authentication


Registering Software Authenticators for Multifactor Authentication 22

Using the RSA Authenticator for Cloud-Managed Multifactor


Authentication
The RSA Authenticator for Microsoft Windows supports the following authentication methods to access resources protected by the
Cloud Authentication Service:

Authentication
Reference
Method

https://community.securid.com/t5/securid-cloud-authentication/authentication-methods- for-cloud-authentication-
Authenticate OTP
service-users/ta-p/623038#Tokenco

https://community.securid.com/t5/securid-cloud-authentication/authentication-methods- for-cloud-authentication-
Push to Approve
service-users/ta-p/623038#Approve

https://community.securid.com/t5/securid-cloud-authentication/authentication-methods- for-cloud-authentication-
Device Biometrics
service-users/ta-p/623038#Device

Users must register their software authenticator before using these authentication methods.

Enable Notifications on User Devices


Users must respond to notifications during authentication with Approve or Biometrics. Instruct users to enable notifications on their
devices so they can take advantage of these options.

Registering Software Authenticators for Multifactor


Authentication
Before using the RSA Authenticator for Microsoft Windows to sign into applications, end users must register the RSA Authenticator app
with the RSA Cloud Authentication Service (CAS). For more information MFA authentication options, see the Online Help.

Registration Methods
Users can register the RSA Authenticator with CAS using one of the following methods:

Registration
Description
Method

My Page is a web portal that helps provide a secure way for users to register RSA Authenticator . Users should sign
into My Page on a device (for example, a computer), download the RSA Authenticator for Microsoft Windows, and
RSA My Page complete registration. If an administrator for one tenant uses the Cloud Administration Console to delete a user's
credential, the RSA Authenticator app on the user's device continues to work normally for any other tenant. The
activity from one CAS tenant does not affect the app behavior for other tenants. By default, My Page is disabled.

22 Chapter 4: Multifactor Authentication


RSA Authenticator 6.2 for Windows Administrator Guide

Registration
Description
Method

When it is enabled, an access policy can be selected that determines which users are allowed to use My Page and
which authentication requirements they must satisfy to access it. Admins should enable Allow users to register
selected authenticators on My Page through Access > My Page > Self Service.

User enters a
Registration
An administrator uses the Cloud Administration Console to generate a numeric Registration Code and then securely
Code
provide it to the user. The user downloads the RSA Authenticator app on a device and enters their identity source
Generated by
email address, the Organization ID, and the Registration Code in the app.
an
Administrator

Authenticate OTP Credential Re-Registration


The following table summarizes how RSA Authenticator handles registration with user or changes for Microsoft Windows computer.

Situation Resolution
A user completes the registration, but wants to re-
register due to the following:

l User deletes Authenticate OTP The admin should delete the authenticator registered in Cloud administration console
credential or instruct the user to delete registered device from My page and then install the RSA
Authenticator for Microsoft Windows and register a new credential.
l User deletes RSA Authenticator

A user completes registration on one computer The user can delete the current authenticator in My Page, and then complete
and then gets a new computer. The user needs to registration. Or the administrator can delete the user's current device before the user
complete registration on the new computer. can complete authenticator registration again.
An existing user who has completed registration If necessary, the existing user deletes the authenticator in My Page or deletes the
on the computer no longer needs the computer credential in the app. The new user installs the app and completes registration
and gives the computer to a new user. without administrative action.

Registration with Multiple Authenticators


An individual user can register one software authenticator per CAS tenant regardless of OS and app version per CAS tenant to
authenticate to protected resources. Users can register up to 10 Authenticate OTP credentials in the RSA Authenticator .

For example, a user who is a contractor for both Company A and Company B can use a single device to perform step-up authentication
to access both companies. The user registers the device for one company and uses the My Accounts screen to add additional
credentials as needed.

An administrator might use a single device for testing the behavior of the RSA Authenticator for a company's testing environment and
production environment. If each environment has a unique company ID, the administrator adds an credential for each company. Or if
each environment uses the same company ID but has a unique user ID, the administrator adds a credential for each user ID.

If an administrator for one credential uses the Cloud Administration Console to delete a user's registered device, the RSA Authenticator
on the user's device continues to work normally for any other credential. The activity from one account does not affect the app behavior
for other credentials.

Chapter 4: Multifactor Authentication 23


RSA Authenticator 6.2 for Windows Administrator Guide

If you have multiple credentials, you can arrange them in the order you wish. To rearrange a credential, select it, and then drag and drop
it to a position within the home page.

Chapter 5: Managing RSA Authenticator


for Windows
Home 24

Types of Credentials 25

Add SecurID OTP Credential 27

Add Authenticate OTP Credential 32

MFA Credentials PIN Management 34

Manage Credentials 36

Rename a Credential Card 36

Delete a Credential 36

View Credential Card Information 36

Settings 37

Device Password 37

About 38

Export Logs 38

Home
The Home page lets you access all the credentials that you have registered or added to SecurID Authenticator for Microsoft Windows.

Credential

A credential is an authenticator account that generates an one-time password (OTP) and push notification (approve or biometric
authentication). Each credential is unique and bound to your device. If you have multiple credentials cards, you can identify each card by
its name which can be renamed for easy identification.

If you have multiple credentials, you can arrange them in the order you wish. To rearrange a credential, select it, and then drag and drop
at a position within the Home page.

24 Chapter 5: Managing RSA Authenticator for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

Types of Credentials
RSA Authenticator for Microsoft Windows allows you to register or add the following three types of credentials:

1. Cloud Authentication Service (CAS)/Authenticate OTP credential

2. Authentication Manager (AM)/SecurID OTP credential

3. DS100 OTP credential

Authenticate OTP Credential


An Authenticate OTP credential is a multi factor authentication (MFA). When logging in with an MFA, you enter your primary
authentication first and then access the RSA Authenticator app to authenticate with the Authenticate OTP credential or push notification.

Timers: The one-time password (OTP) has a 60 second timer counting down and changes the OTP every 60 seconds automatically to
provide stronger authentication.

SecurID OTP Credential


A SecurID OTP credential is a two factor authentication (2FA). When logging in with two factor authentication (2FA), you enter your
password first, and then you’ll be asked for an additional authentication to prove your identity. Enter the one time passcode (OTP)
generated by the app to access a protected resource.

Chapter 5: Managing RSA Authenticator for Windows 25


RSA Authenticator 6.2 for Windows Administrator Guide

SecurID OTP credentials can generate OTP in three different ways and your organization decides which of the three methods to use for
authentication. The three types are explained in the table below.

PinPad: In this card, the PIN is integrated with the OTP. You need a SecurID PIN to generate an OTP. You then use the OTP to
authenticate your identity for accessing a protected resource.

PIN-less: This card does not require any PIN to generate an OTP. You can use the current OTP that is displayed on the device to
authenticate your identity and access a protected resource.

FOB Style: This card requires you to enter a SecurID PIN in the protected resource first and followed by the current OTP displayed on
the card. This is similar to authenticating with a hardware fob that displays passcodes.

26 Chapter 5: Managing RSA Authenticator for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

RSA DS100 OTP Credential


The RSA DS100 is a cloud-managed, multi-functional hardware authenticator that supports both SecurID one-time password (OTP) and
passwordless FIDO2 authentication in a single device. It works plugged in or unplugged. The device displays OTPs via its LCD when the
button is pushed while not plugged into a USB port, and when plugged in, the button automatically enters the OTP.

Add SecurID OTP Credential


The administrator needs to provision a SecurID OTP credential to a user so that the user can add it to RSA Authenticator for
authentication. The administrator mails users either a URL or SDTID file attachment along with appropriate procedure. The users then
use the URL or SDTID file attachment for adding the credentials to their RSA Authenticator . User can add up to 25 SecurID OTP
credentials. Following are the different ways to provision and add SecurID OTP credentials:

l Import AM OTP Credential Using the CT-KIP URL

l Import AM OTP Credential from a CT-KIP URL in an Email

l Import AM OTP Credential from a SDTID File

l Import AM OTP Credential from an Email Attachment

l Import AM OTP Credential from Non-Default Directory

l Import AM OTP Credential Automatically from a Default Directory

l Migrating Existing AM OTP Credentials from RSA SecurID Software Token 5.0 to SecurID Authenticator 6.1.3

Import a SecurID OTP Credential Using the CT-KIP URL


To provision a SecurID OTP credential to users through a CT-KIP URL, the administrator must copy the CT-KIP URL from Authentication
Manager and safely deliver it to users. Following is the CT-KIP URL format:

l URL with activation code: rsaauthenticator://ctkip?scheme=https&url=<AM_Server_


FQDN>:7004/ctkip/services/CtkipService&activationCode=<Activation_Code>

l URL without activation code: rsaauthenticator://ctkip?scheme=https&url=<AM_Server_


FQDN>:7004/ctkip/services/CtkipService

Note: In the URL, replace <AM_Server_FQDN> with your AM Server Fully Qualified Domain Name (FQDN).

When you send the CT-KIP URL to users, instruct the users to follow below procedure for importing the AM credential to their RSA
Authenticator .

Procedure

1. Click Add Credential from RSA Authenticator .

2. Select Enter Details.

3. Enter the CT-KIP URL in the Enter Registration Code or URL field.

4. Click Submit.

5. Enter the activation code that you have received from your administrator, if prompted.

Chapter 5: Managing RSA Authenticator for Windows 27


RSA Authenticator 6.2 for Windows Administrator Guide

6. Click Submit.

7. Install a root CA certificate of Authentication Manager or accept the server certificate to proceed, if prompted for a certificate.

8. Click OK in the success message.


The credential is added to the Home page.

Import a SecurID OTP Credential from a CT-KIP URL in an Email


If the administrator sends the CT-KIP URL in an email, the administrator should also provide the below procedure to the users for
importing an AM credential using the CT-KIP URL. Following is the CT-KIP URL format:

l URL with activation code: rsaauthenticator://ctkip?scheme=https&url=<AM_Server_


FQDN>:7004/ctkip/services/CtkipService&activationCode=<Activation_Code>

l URL without activation code: rsaauthenticator://ctkip?scheme=https&url=<AM_Server_


FQDN>:7004/ctkip/services/CtkipService

Note: In the URL, you must replace <AM_Server_FQDN> with your AM Server Fully Qualified Domain Name (FQDN).

Procedure
1. Open the CT-KIP URL email and then click the URL.
The RSA Authenticator app starts automatically.

2. Enter the activation code received in the email, if prompted.


The credential is added to the Home page.

Import a SecurID OTP Credential from a SDTID File


As an administrator, you can store the SDTID file in the user's machine or network share. Then, share the location of the SDTID file along
with the below procedure to the user. The users can then import the AM credential using the SDTID file.

Procedure

1. From RSA Authenticator , click Add Credential .

2. Select Import .SDTID File.

3. Do one of the following:

l Drag and drop the .SDTID file provided to you.

l Click Choose File, browse to the location and then select the .SDTID file.

4. Click Import.

Note: If the file is protected with an import password, enter the password to complete the import.

5. Click OK in the success message.

Note: After the SecurID OTP is imported, the app deletes the SDTID file from your local machine.

Import a SecurID OTP Credential from SDTID file from an Email Attachment or Locally
Stored File
Administrator can share the SDTID file with the user in an email attachment. If the attachment is zipped, users need to extract the SDTID

28 Chapter 5: Managing RSA Authenticator for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

file and then double-click the file. Provide the below procedure to the user for importing an AM credential from the SDTID file.

Procedure
1. Open the email and then double-click the file attachment. For example, “token1.sdtid.”

Note: If the attachment is zipped, extract the SDTID file and then double-click the file.

2. The RSA Authenticator app detects the .SDTID and starts up automatically.

3. Select RSA Authenticator , if prompted to select an application to open the file.

4. Enter the file password, if prompted, and then click OK.

5. Click OK in the success message.

The credential is added to the Home page.

Import a SecurID OTP Credential from Non-Default Directory


An administrator can share or use a deployment tool to push the file to a non-default directory. In such a scenario, the admin should
provide and instruct the user to follow the below procedure for importing the AM credential.

Procedure
1. Double-click the file attachment. For example, “token1.sdtid.”

Note: If the attachment is zipped, extract the SDTID file and then double-click the file.

2. The RSA Authenticator app detects the .SDTID file and starts up automatically.

3. Select RSA Authenticator , if prompted to select an application to open the file.

4. Enter the file password, if prompted, and then click OK.

5. Click OK in the success message

The credential is added to the Home page.

Import a SecurID OTP Credential Automatically from a Default Directory


Administrator should instruct users to copy the SDTID file shared as an attachment to the default directory in their machine. If the
attachment is zipped, inform the user to extract the SDTID file first and then save it to the default directory.

The default directories are the Desktop or Documents folders on a computer. If the .SDTID files are available in a default directory, RSA
Authenticator can automatically import the SecurID OTP credential when the user opens the app. After successfully importing the
credential, the application deletes the file, as long as the file is not marked read-only or otherwise protected.

Note: If you use deployment tool to push the file to one of the default directories, the OTP is imported automatically the next time you
start the application

Procedure
1. Save the SDTID file attachment to one of the default directories.

2. Open the RSA Authenticator app.


The app detects the SDTID file and imports the OTP credentials automatically. If you have multiple SDTID files, the app imports
the credentials one by one.

Chapter 5: Managing RSA Authenticator for Windows 29


RSA Authenticator 6.2 for Windows Administrator Guide

3. Enter the file password, if prompted, and then click OK.

4. Click OK.

The credentials are added to the Home page.

Import a SecurID OTP Credential automatically using CT-KIP.


Note: The administrator must have enabled the User SID for CT-KIP activation code policy and the Specify a CT-KIP URL to use
for downloading SecurID OTP credentials.

If you provision SecurID OTP credential using Dynamic Seed Provisioning (CT-KIP), you can customize RSA Authenticator 6.2 for
Windows to automatically import SecurID OTP Credential the first time the user starts the application, as long as either of the following
conditions is met:

l The user does not already have a SecurID OTP Credential.

l All the SecurID OTP credentials in the user’s credentials have expired.

Auto-import requires setting the User SID for CT-KIP activation code and Specify a CT-KIP URL to use for downloading SecurID
OTP credentials policies. For more information, see Defining Software Token Policy settings.

Set a PIN for SecurID OTP

If you need to set a PIN immediately after importing an SecurID OTP. These instructions are a general guide. Your IT Help Desk will
provide specific information if necessary.

You must reset your PIN if you forget it or it becomes compromised. Use the reset method provided by your IT Help Desk.

1. Connect to your VPN client or protected application on your Microsoft Windows computer.

2. Enter your username and leave the dialog box open.

3. Open the RSA Authenticator app.

4. Perform these steps if your app displays Enter PIN. If you do not see Enter PIN, go to Step 4.

a. Leave the PIN field blank and click Submit to view the OTP.

b. On your Microsoft Windows computer, in the Passcode field, type the OTP, without spaces, and click OK.

c. Enter a PIN that contains 4 to 8 numeric digits, when prompted.

It cannot begin with zero. Memorize the PIN.

30 Chapter 5: Managing RSA Authenticator for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

d. Confirm the PIN.

You are prompted for a passcode.

e. Return to the Enter PIN screen in the app.

f. Enter the PIN you just created and click Submit.

The passcode appears. This code combines PIN and OTP.

g. Go to the VPN client or application sign-in screen. In the Passcode field, type the passcode without spaces. Click OK.

After you set the PIN, you are ready to sign into applications.

5. Use this method only if you have not performed Step 3.

a. In the VPN client or protected resource screen, enter your username.

b. In the Passcode field, enter the OTP that is displayed in the app, without spaces, and click OK.

OTP displayed in app:

c. Create a PIN that contains 4 to 8 digits, when prompted. It cannot begin with a zero. Memorize the PIN.

d. Enter and confirm the PIN.

You are prompted for a passcode.

e. Click Next OTP in the app. An OTP appears.

f. Enter your PIN, then the OTP in the same field, without spaces, on your Microsoft Windows computer in the Passcode
field.

g. Click OK.

After you set the PIN, you are ready to sign into applications.

Migrating Existing SecurID OTP Credentials from RSA SecurID Software Token 5.0 to RSA
Authenticator 6.2
After installing RSA Authenticator , on the first launch of the app, a user's existing SecurID OTP credentials present in RSA SecurID
Software Token 5.0 are automatically added to the app. All the SecurID OTP Credentials are migrated until the RSA Authenticator
reaches the maximum limit of 25 SecurID OTP credentials. Rest of the SecurID OTP credentials will not be migrated and will be tried for
migration on subsequent relaunch of RSA Authenticator .

If RSA Authenticator device password is prompted, enter the device password. If RSA SecurID Software Token 5.0 Device Password is
prompted, enter the RSA SecurID Token Device password to complete the migration.

Chapter 5: Managing RSA Authenticator for Windows 31


RSA Authenticator 6.2 for Windows Administrator Guide

RSA Authenticator supports maximum of 25 SecurID OTP Credentials which includes both the credentials which are already existing
AM credentials and the credentials migrated from RSA SecurID Software Token 5.0. After reaching the maximum number of AM
credentials, if a user wants to add any additional SecurID OTP credential, the user needs to delete an existing SecurID OTP credential
from RSA Authenticator and then add the additional SecurID OTP credential.

Allow only one SecurID OTP Credential GPO policy configuration is ignored during migration:

l If Allow Only one SecurID OTP Credential GPO policy is enabled, RSA Authenticator attempts to migrate credentials of RSA
SecurID Software Credentials during the launch of application. Now onwards, if user tries to import any new software credential
after migration and Allow Only one SecurID OTP Credential GPO policy is enabled, all the migrated SecurID OTP/SecurID
OTP credentials will be removed, and new SecurID OTP/SecurID OTP credential is added to RSA Authenticator .

Note:
- On every launch of RSA Authenticator , if a new or not migrated SecurID OTP credential is present in RSA SecurID Software Token
5.0, then it will be attempted to migrate to RSA Authenticator .
- From 6.2 onwards, RSA Authenticator supports Migration of credentials from RSA Securid Software Token application with
automation enabled, provided, they are not having SINGLEDATABASE enabled.

Add Authenticate OTP Credential


The user can add multiple credentials to a single Microsoft Windows computer for the same company. Each credential must use a
different username. For example, a user can register a Microsoft Windows computer with Company A, then add credentials using
[email protected] for Credential 1 and [email protected] for Credential 2. Or user can add credentials for the same
company to different Microsoft Windows computer, using a different username for each credential.

The user can add up to 10 Authenticate OTP credentials in the RSA Authenticator for Microsoft Windows.

Procedure

1. Open the RSA Authenticator .

2. Click Add Credential .

32 Chapter 5: Managing RSA Authenticator for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

3. Select Enter Details, and then enter the following:

l Registration code

l Email Address

Chapter 5: Managing RSA Authenticator for Windows 33


RSA Authenticator 6.2 for Windows Administrator Guide

l Organization ID

4. Click Submit.

5. Click OK in the success message.

If the credential registration is successful, the credential is added to the home page.

Note: After registration, if the credential displays View OTP, click View OTP and create a PIN to view the OTP.

MFA Credentials PIN Management


CAS Admin can configure the pin protection to view the OTP in the RSA Authenticator app.

If CAS Admin enabled the PIN Protection for credential, user must set the PIN and manage this PIN until CAS Admin remove the PIN
from the CAS or User deletes the MFA Credential.

If credential is protected to view OTP, user must set the PIN. The procedure to set the PIN is explained below.

34 Chapter 5: Managing RSA Authenticator for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

Set Authenticate OTP PIN


RSA Authenticator for Microsoft Windows supports adding an Authenticate OTP PIN.

Procedure

1. Click View OTP.

Set Pin dialog will be prompted to user mentioning pin length to set for OTP credential in the RSA Authenticator

2. Enter PIN in Enter PIN and Confirm PIN fields with pin length mentioned by RSA Authenticator .

3. Click Submit.

Note: CAS supports minimum Device Pin length of 4 and maximum Device Pin length of 10 digits.

On successful submission of PIN, Authenticate OTP will be displayed.

Change Authenticate OTP PIN


Use the following instructions to change an existing Authenticate OTP PIN.

Procedure
1. Click View OTP.

2. Click Change PIN in the Enter PIN field.

3. Enter the existing PIN in the Old PIN field.

4. Enter a new PIN in the New PIN field.

5. Reenter the new PIN in the Confirm PIN field, and click Submit.

Note: CAS Server Admin can change the minimum PIN length required at any time, user will be prompted to change the pin in
RSA Authenticator after pin policy changed to higher limit in CAS.

View Authenticate OTP


Use the following instructions to view Authenticate OTP.

Procedure

1. Click View OTP.

2. Enter the PIN that you set in the Enter PIN field.

3. Click Submit.

Authenticate OTP will be displayed for 4 mins on successful submission on PIN.

Reset Authenticate OTP PIN


If you forgot or locked your Authenticate OTP PIN, you need to delete all the Authenticate OTP Credential that requires a PIN to view the
OTP, and then reregister the credentials.

Note: Maximum wrong PIN attempts is 5 before the Authenticate OTP PIN gets locked.

Chapter 5: Managing RSA Authenticator for Windows 35


RSA Authenticator 6.2 for Windows Administrator Guide

Manage Credentials
Rename a Credential Card
If the user has multiple credential cards with the default name, users can rename their credential cards for easy identification.

Note: To rename an SecurID OTP credential, you require edit permission from your administrator.

1. Select a credential card from RSA Authenticator .

2. Click Edit .

3. Rename the card.

4. Click Save to save the name.

5. Enter the device password, if prompted.

6. Click OK.

Delete a Credential
Users can delete an SecurID OTP credential only if they have the delete permission.

1. Select a credential card from RSA Authenticator .

2. Click Delete .

3. Enter the device password, if prompted.

4. Click OK.

View Credential Card Information


1. Click Info to view the card information.

l A CAS credential card displays Credential Name and the Organization ID.

l Credential Name: The user-friendly name of the credential if it exists. Otherwise, the column displays the
Company Name.

l Organization ID: Name of the organization where this credential is distributed and managed.

l An AM credential card displays Credential Name, Serial Number, and Expiration Date.

l Credential Name: The user-friendly name of the credential if it exists. Otherwise, the column displays the
Serial Number.

36 Chapter 5: Managing RSA Authenticator for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

l Serial Number: The serial number that identifies the SecurID OTP to Authentication Manager.

l Expiration Date: The date when the installed SecurID OTP will expire. SecurID OTP expire on the expiration
date at 00:00:01 UTC.

Obtaining the Next OTP


Under some conditions, an application that is protected by RSA may prompt the user to enter an SecurID OTP to provide additional
verification. The user can obtain the SecurID OTP from the RSA Authenticator . The next passcode is required:

l If the user has a PIN Pad style OTP credential. A PIN Pad-style credential requires the user to enter his or her SecurID PIN to
generate an OTP.

l If the user has a fob-style software credential. It is similar to an RSA hardware fob, such as the SID700.

Enter the Next OTP

Use the following procedure to obtain and enter the next OTP.

Procedure

1. Select a SecurID OTP Credential.

2. Enter a PIN to get the next OTP, if the SecurID OTP Credential is PIN-PAD Style. Skip this step for Fob style or PinLess SecurID
OTP.

3. Click Next OTP.

The next OTP is displayed.

Disable Next OTP Mode


After a user submits the next OTP, the RSA Authenticator application remains in Next OTP mode until the you click Show current OTP.

l To disable the next OTP, click the Show Current OTP icon.

Settings
Users can view information about the device on which they have stored their SecurID OTP credentials. Also, the user can manage the
device passwords of their SecurID OTP credentials.

To view the device information, click Settings and the Device Information is displayed.

Device Password
Device password provides an additional layer of protection to all your users SecurID OTP credentials. It ensures that only user who set
the device password can access, view, and manage their credentials. The user can set, change, or remove a device password only if
user have the permission.

Set a Device Password


The user can set the Device Password by performing following procedure:

Chapter 5: Managing RSA Authenticator for Windows 37


RSA Authenticator 6.2 for Windows Administrator Guide

1. Click Settings and then click Set Device Password.

2. Enter new password and then confirm the new password.

3. Click Set Device Password.

Change the Device Password


The user can change the Device Password by performing following procedure:

1. Click Settings and then click Change Device Password.

2. Enter your current device password.

3. Enter a new password and then confirm the new password.

4. Click Change Device Password.

Remove Device Password


Removing the device password removes the additional protection set for users OTP credentials registered on your local hard drive.

1. Click Settings and then click Remove Device Password.

2. Enter your current device password.

3. Click Remove.

Clear All SecurID OTP Credentials and Device Password


If a user forgets the device password, the user must clear all the Authentication Manager Software OTP credentials in the device. After
clearing the OTP credentials on the device, the user must request new credentials. Ask user to perform following steps to Clear OTP
Credentials in RSA Authenticator as follows.

1. Click Settings and then click Clear OTP Credentials.

2. Click Continue to confirm.

3. Click OK.

About
The About page displays the details of app version, publisher, and company’s privacy policy.

Export Logs
RSA Authenticator app stores all credentials related operation in log files. The user can export log files in zip format using the Export
Logs option. App stores maximum 30 days logs of 10 files per day each file of size 10 MB. After the maximum is reached, the oldest log
files are deleted. Users can export logs to custom location or to default documents folder locations.

If a user encounters any issues with RSA Authenticator , ask the user to send you the log file to help you trouleshoot the issue.

Procedure

1. Click About.

38 Chapter 5: Managing RSA Authenticator for Windows


RSA Authenticator 6.2 for Windows Administrator Guide

2. Click Export logs.

3. Select the location where to export the logs.

4. Click Save.

Chapter 6: RSA DS100


Prerequisites 40

Software Components 40

RSA FIDO Management Service for RSA DS100 40

What a User Needs to Do 41

High Level RSA DS100 Deployment Steps 41

Deploy the RSA FIDO Management Service 41

RSA FIDO Management Service Install (via GUI) 41

RSA FIDO Management Service Install (via command line) 42

Enable DS100 Registration in MyPage 42

End User RSA DS100 Registration 43

Register a Credential on the RSA DS100 Using the My Page Self-Service Portal 43

Change the RSA DS100 OTP PIN from My Page 44

Authenticating Using RSA DS100 44

Authenticate Using RSA DS100 OTP Credential to a Web Application 45

Authenticate Using RSA DS100 OTP Credential to a VPN application 45

Managing an RSA DS100 45

View RSA DS100 OTP Credential in RSA Authenticator 46

Change the PIN for RSA DS100 OTP Credential from RSA Authenticator 46

Deleting RSA DS100 OTP Credential 46

Set FIDO PIN 47

Change FIDO PIN 47

Reset FIDO to Factory Defaults 48

Update RSA DS100 Firmware 48

The RSA DS100 enables both FIDO2 and one-time password (OTP) authentication. It is a passwordless, multi-functional hardware
authenticator that works plugged in or unplugged. It adds an extra layer of security when a user signs in to accounts. It is safer than using
only a password.

Chapter 6: RSA DS100 39


RSA Authenticator 6.2 for Windows Administrator Guide

l OTP authentication: The device displays OTPs via its LCD when the button is pushed while not plugged into a USB port, and
when plugged in, the button automatically enters the OTP.

l FIDO authentication: The RSA DS100 provides a user with secure, convenient capabilities of a FIDO Security Key including
passwordless authentication, if enabled by an administrator.

Prerequisites
The prerequisites for registering and using the RSA DS100 are:

l An RSA DS100 hardware authenticator

l 64-bit Windows 10 1903 and higher (build 1836+), Windows 11, Windows Server 2022

l Internet connectivity to the RSA Cloud Authentication Service (CAS)

l USB-C Port (also works through a 3rd party USB-C to USB-A adapter) A user's system should have the RSA FIDO Management
Service v1.1.0 or later installed and running, or they should have the admin privileges

l Users are NOT blocked from installing RSA Authenticator via Microsoft Store. Or, Windows administrator installs RSA
Authenticator 6.2 or later for non-admin users (via a DISM sideload install).

Software Components
Software Description Obtained from Installed by

1. Any end user


A Microsoft Store WPF application that is required 1. Microsoft Store
RSA Authenticator 6.2 or
for dynamic OTP seeding and management of RSA
later for Windows 2. Windows
DS100s. 2. RSA Community
Administrator

A Windows Service that enables the RSA


Authenticator 6.2 or later to communicate with
FIDO devices, such as the RSA DS100.

RSA FIDO Management Microsoft blocks applications on Windows that RSA Community Windows Administrator
Service 1.1.0 or later weren't launched using Run as administrator from
communicating directly with any type of FIDO
device via the FIDO CTAP protocol. This service
overcomes the Windows block.

RSA FIDO Management Service for RSA DS100


Windows 10 or later blocks all applications from communicating with FIDO Security Keys, like the RSA DS100, unless the application
was developed by Microsoft, is a web browser, or is launched using Run as administrator. Most users in an organization do not have
admin rights, so they are unable to use the Run as administrator option.

The RSA FIDO Management Service 1.1.0 or later should be installed and running on a Windows computer so that any user, regardless
of their administrator rights, can use RSA Authenticator to manage the RSA DS100. If the RSA FIDO Management Service is not
installed, and a user has Windows administrator permissions and an RSA DS100 or other FIDO Security Key is detected, RSA
Authenticator will prompt the user to run it with admin privileges. The RSA FIDO Management Service 1.1.0 or later is available for

40 Chapter 6: RSA DS100


RSA Authenticator 6.2 for Windows Administrator Guide

download from the RSA Community. If a user does not have the admin permissions to install the RSA FIDO management service, they
contact the IT administrator.

What a User Needs to Do


When a user receives the RSA DS100 hardware authenticator, the first thing to do is to register it via the organization's My Page self-
service web portal and add a FIDO credential and/or OTP credential so the user can use it to authenticate. An IT administrator typically
mails the URL for My Page to each user. Users that need the URL should contact their IT administrator or customer service
representative.

High Level RSA DS100 Deployment Steps


Administrators

1. Deploy or Install the RSA FIDO Management Service on End User computers.

2. Deploy RSA Authenticator 6.2 or later for Windows via DISM sideload on end-user computers, if installing apps from the
Microsoft Store is blocked.

3. Enable users to register DS100s on MyPage (both FIDO and/or OTP credentials) in the CAS Admin console.

4. Distribute RSA DS100s to users.

End Users

Log in to My Page and follow the prompts register their RSA DS100 (includes installing RSA Authenticator 6.2 or later for Windows from
the Microsoft Store if not performed by an admin in Step 2 above).

Deploy the RSA FIDO Management Service


The RSA FIDO Management Service is very small, only 1.11 MB. It can be installed via its GUI installer for testing by IT staff that have
Windows administrator permissions.

Distribution and installation via a Windows Group Policy or an organization's Software Configuration Management (SCM) tool by IT staff
is recommended for end users that lack Windows administrator permissions.

RSA FIDO Management Service Install (via GUI)


1. Download the RSA FIDO Management Service from the RSA Community:

https://community.rsa.com/rsa-fido-management-service-for-microsoft-windows

2. Double-click the file rsa_fido_management_service_1.1.0.zip to open it.

3. Drag the .MSI installer file to the desktop or other convenient location and launch it.

4. Click Next.

5. Select the I accept the terms in the license agreement option, then click Next.

6. Click Install.

Chapter 6: RSA DS100 41


RSA Authenticator 6.2 for Windows Administrator Guide

7. When Windows puts up the User Account Control dialog asking if changes are allowed, click Yes.

IMPORTANT: If you see a dialog that is yellow and says the app is from an unknown developer, see the Troubleshooting
section of this guide.

8. Click Finish.

RSA FIDO Management Service Install (via command line)


Below is the syntax for performing a silent install / uninstall of the RSA FIDO Management Service via the command line. It is
recommended to perform bulk distribution and installation via a Windows Group Policy or an organization's Software Configuration
Management (SCM) tool for users that are not Windows administrators.

1. Double click on the file rsa_fido_management_service_1.1.0.zip open it.

2. Drag the .MSI installer file to the desktop or another convenient location

3. Launch the Command Prompt (cmd) with "Run as administrator".

4. Navigate to the file system location where the installer is located.

5. Use the following command to perform an automated, silent install:

msiexec /i "RSA FIDO Management Service (x64).msi" /qn

Additional commands:

Uninstall silent mode: msiexec /x "RSA FIDO Management Service (x64).msi" /qn

Enable DS100 Registration in MyPage


RSA DS100 registration of FIDO Credentials and OTP Credentials on MyPage needs be enabled in the Cloud Service Admin Console.
Please use the following steps:

1. Log in to your tenant's admin console.

2. Go to Access > MyPage > Self Service.

3. The three check boxes in the red box from the following screenshot should be visible in your admin console. If they are not
visible, contact your RSA Sales Engineer to have RSA DS100 support enabled in your organization's tenant.

42 Chapter 6: RSA DS100


RSA Authenticator 6.2 for Windows Administrator Guide

4. Make sure all three check boxes visible in red box from the screen shot above are checked.

5. Click Save.

6. Click Publish Changes to make the change active.

End User RSA DS100 Registration


Give the user an RSA DS100, it doesn't matter which one, and have them perform the following steps:

1. Log in to My Page.

2. Click My Authenticators in the left panel if it's not already selected.

3. Click Register an authenticator.

4. Select DS100.

5. Follow the on-screen prompts in steps 1 & 2 to register a FIDO credential on the RSA DS100.

6. Follow the on-screen prompts in steps 3-5 to register a One Time Password (OTP) credential.

Register a Credential on the RSA DS100 Using the


My Page Self-Service Portal
My Page enables a user to register a FIDO and OTP credential to the DS100. FIDO credentials are completely on My Page and use the
web browser, whereas an OTP credential registration starts on My Page but requires RSA Authenticator to add the OTP credential. The
RSA DS100 hardware authenticator can hold only one OTP credential.

Chapter 6: RSA DS100 43


RSA Authenticator 6.2 for Windows Administrator Guide

To register OTP credentials on an RSA DS100:

A user should follow the below procedure to register an OTP credential on the RSA DS100.

1. Open the email with the My Page URL received from the IT administrator.

2. Enter the URL for My Page and log in by following the instructions provided by the administrator.

3. Click My Authenticators, if not already on that panel.

4. Click Register an authenticator.

5. Select RSA DS100 from the Choose an authenticator to register page.

6. Follow the on-screen instructions for registering a FIDO credential, if required by the admin.

Note: Setting a FIDO PIN may be required. This PIN is stored in the DS100.

7. After FIDO registration is complete, continue with OTP credential registration in My Page.

8. Install the RSA Authenticator app from the Microsoft Store if it is not already installed.

9. Click Open RSA Authenticator app from My Page.

RSA Authenticator opens with the details to register the OTP credential pre-entered.

10. Click Submit in the Authenticator app to add the OTP credential.

11. Click Done in the Authenticator app.

12. Return to My Page to set an OTP PIN if required by the administrator.

Note: This is a different PIN than the FIDO PIN. The OTP PIN is stored in the Cloud Authentication Service.

IMPORTANT: If the admin requires setting an OTP PIN, the user must set the PIN on My Page. If an OTP PIN is required but not set,
every authentication with the RSA DS100 OTP credential will be unsuccessful.

Change the RSA DS100 OTP PIN from My Page


A user should follow the below procedure to change the RSA DS100 OTP PIN from My Page.

1. Log in to My Page.

2. Expand RSA DS100 Hardware Authenticator from My Authenticators tab.

3. Click Change OTP PIN.

4. Enter the current PIN and then enter and confirm the new PIN.

5. Click Submit.

Authenticating Using RSA DS100


Using the RSA DS100 OTP credential, users can authenticate to a Web application and/or a VPN application.

44 Chapter 6: RSA DS100


RSA Authenticator 6.2 for Windows Administrator Guide

l Authenticate Using DS100 OTP Credential to a Web Application

l Authenticate Using DS100 OTP Credential to a VPN application

Authenticate Using RSA DS100 OTP Credential to a Web Applic-


ation
To authenticate using the RSA DS100 OTP credential to a Web application, a user should follow the below procedure.

1. Go to the web application where the user wants to log in, or go to My Page.

2. Enter username and password.

3. Enter the OTP PIN in the Enter OTP screen.

4. Enter the OTP by doing one of the following:

a. Press the button on the RSA DS100 to display an OTP on the LCD screen then type it in

b. Insert the RSA DS100 in the USB port and press the button to automatically enter the OTP.

Note: The OTP PIN and the OTP are entered in the same field.

5. Click Submit.

Authenticate Using RSA DS100 OTP Credential to a VPN applic-


ation
To authenticate using the RSA DS100 OTP credential to a VPN application, a user should follow the below procedure.

1. Launch the VPN application.

2. Enter username and password.

3. Enter the OTP PIN.

4. Enter the OTP by doing one of the following:

a. Press the button on the RSA DS100 to display an OTP on the LCD screen then type it in.

b. Insert the RSA DS100 in the USB port and press the button to automatically enter the OTP.

Note: The OTP PIN and the OTP are entered in the same field.

5. Click Submit.

Managing an RSA DS100


RSA DS100 users can manage their credentials as following:

Chapter 6: RSA DS100 45


RSA Authenticator 6.2 for Windows Administrator Guide

l View the DS100 OTP credential in SecurID Authenticator

l Change the PIN for DS100 OTP Credential from SecurID Authenticator

l Delete a DS100 OTP credential

l Set FIDO PIN

l Change FIDO PIN

l Reset DS100 to factory defaults

l Update DS100 firmware

View RSA DS100 OTP Credential in RSA Authenticator


1. From the Home page of RSA Authenticator , click Manage for an RSA DS100.

2. Click the OTP tab to view an RSA DS100's OTP credentials.

Change the PIN for RSA DS100 OTP Credential from RSA
Authenticator
1. Click Manage for an RSA DS100 from the Home page of RSA Authenticator .

2. Click the OTP tab to view an RSA DS100's OTP credentials.

3. Select a credential that needs a PIN change.

4. Click the Change PIN (In My Page) link.

5. Follow the authentication prompts to log into My Page, if you are not already logged into My Page.

6. Expand RSA DS100 Hardware Authenticator.

7. Click Change OTP PIN.

8. Enter the current PIN and then enter and confirm the new PIN.

9. Click Submit.

Deleting RSA DS100 OTP Credential


Deleting OTP Credentials
RSA DS100 OTP credentials need to be deleted from BOTH from the RSA DS100 (via the RSA Authenticator app) AND the cloud
service (via MyPage for users or the Admin Console for admins).

Deleting an OTP credential in one location doesn't affect its presence in the other location, however deleting it in either location makes
that OTP credential permanently unusable for authentication.

Deleting an OTP credential from RSA DS100

46 Chapter 6: RSA DS100


RSA Authenticator 6.2 for Windows Administrator Guide

1. Launch RSA Authenticator .

2. Insert the RSA DS100 in the USB port.

3. Look for the RSA DS100 card in RSA Authenticator , and click the Manage button.

4. Click the OTP tab.

5. Select the OTP credential and then click the Delete icon in the upper-right portion of the card.

6. Click Delete when the confirmation dialog appears.

Deleting an RSA DS100 OTP credential from the cloud service via MyPage (end user)

1. Log in to My Page.

2. Click My Authenticators left panel tab if it is not already selected.

3. Hover the point over the RSA DS100 OTP credential to make a delete icon to appear at the far right.

4. Click the Delete icon.

5. Click Delete when the confirmation dialog appears.

Deleting an RSA DS100 from the cloud service via the Admin Console (cloud administrator)

1. Log in to the Admin Console.

2. Go to Users > Management and enter the user's name, email address, or username to search for and display the user's
information

3. Click Delete next to the OTP credential.

4. Click Delete when the confirmation dialog appears.

Set FIDO PIN


A user can set a PIN containing from 4 to 63 characters.

1. Click Manage from the Home page of RSA Authenticator .

2. Click Set PIN from the FIDO tab.

3. Enter a PIN and then confirm the PIN.

4. Click Set FIDO PIN.

Change FIDO PIN


1. Click Manage from the Home page of RSA Authenticator .

2. Click Change PIN from the FIDO tab.

Chapter 6: RSA DS100 47


RSA Authenticator 6.2 for Windows Administrator Guide

3. Enter the current PIN, new PIN, and then confirm the new PIN.

4. Click Change FIDO PIN.

Reset FIDO to Factory Defaults


1. Click Manage from the Home page of RSA Authenticator .

2. Click Reset FIDO from the FIDO tab.

3. Click Reset.

4. Unplug and then re-insert the RSA DS100 into the USB port.

5. Press the RSA DS100 button when prompted to do so.

Update RSA DS100 Firmware


1. Click Manage from the Home page of RSA Authenticator .

2. Do one of the following from the Firmware tab:

a. Enter the file path to the firmware file.

b. Click Browse to locate and select the firmware file.

3. Click Update. The update may take up to 60 seconds.

Caution: Users should not unplug their RSA DS100 hardware authenticator until the update is completed. After the update, RSA
DS100 reboots automatically to apply the new firmware version. If the RSA DS100 is unplugged while rebooting (the LCD
screen is blank), it can permanently damage the RSA DS100.

4. When the update is successful, click Done.

Chapter 7: Group Policy Template


RSA Authenticator Group Policy Object Template 49

SecurID Token Settings 49

Installing Group Policy Object Template 50

Installing the RSA Authenticator Group Policy Object Template 50

Install the Template on a Windows Computer 50

Install the Template on the Domain Controller 50

Defining the Policy Settings 51

Accessing the Group Policy Object Template 51

Access the Template on a Domain Controller 51

48 Chapter 7: Group Policy Template


RSA Authenticator 6.2 for Windows Administrator Guide

Access the Template on a Windows Computer 51

Policy Settings 52

Defining Software Token Settings 52

Allow only one AM OTP credential 52

Do not allow users to delete SecurID OTP credentials 53

Do not allow users to change SecurID OTP credential nickname 55

Do not allow users to configure the device password 56

Days before SecurID OTP credential expiration notification is displayed 57

Specify a SecurID OTP credential renewal URL 59

Specify a CT-KIP URL to use for downloading SecurID OTP Credential 60

User SID for CT-KIP activation code Procedure 61

Exclude RSA SecurID Software Token 5.0 GPO Settings 62

Unsupported Features 64

RSA Authenticator Group Policy Object Template


The RSA Authenticator Group Policy Object (GPO) template allows you to manage SecurID OTP Credentials in an app using group
policies. The template is also available separately as a zip RSA_Authenticator_6.2.0_Microsoft_Windows_GPO_Templates.zip.

RSA Authenticator group policies allow you to apply policy settings to the appropriate computers. Typically, you copy the template into
the defined directory on your domain controller and then define the RSA Authenticator policy settings in the templates. Each computer
within the domain automatically downloads the settings and loads them into the Microsoft Windows registry. Windows stores them in the
Registry Editor keys under

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SecurID\SecurID Authenticator\Software Token Settings. Each Windows computer


must be part of a domain.

If you change policy settings, the new settings override any previous settings. In domain environments, all computers wait for specified
refresh intervals before updating their settings. When the refresh process ends, the settings associated with the templates are loaded
into the Windows registry.

Note: To ensure that users cannot change the default (or another setting), you must install the template, make any changes, and
enforce the policy on the domain controller. For more information about enforcing a policy, see the Windows Server documentation.

SecurID Token Settings


The SecurID Token Settings template contains policy settings to define how the Software credentials are managed in RSA
Authenticator .

The following policy settings are available:

1. Allow only one AM OTP credential

2. Do not allow users to delete AM OTP credentials

Chapter 7: Group Policy Template 49


RSA Authenticator 6.2 for Windows Administrator Guide

3. Do not allow users to change AM OTP credential nickname

4. Do not allow users to configure the device password

5. Days before AM OTP credential expiration notification is displayed

6. Specify an AM OTP credential renewal URL

7. Specify a CT-KIP URL to use for downloading AM OTP credentials

8. Exclude RSA SecurID Software Token 5.0 GPO Settings

9. User SID for CT-KIP activation code

Installing Group Policy Object Template


Installing the RSA Authenticator Group Policy Object Template
Group Policy is a feature of Microsoft Windows. RSA recommends that before you deploy the RSA Authenticator Group Policy Object
template, you become familiar with Microsoft Windows Group Policy concepts and best practices. For more information, search the
Microsoft Support website at https://support.microsoft.com/en-us.

The RSA Authenticator GPO template will be available on the RSA Website. If you want to apply the policies' settings to multiple
computers in a domain, see Install the Template on the Domain Controller below.

If you do not want to apply the policies' settings to all the computers in the domain, you can apply the policies to specific computers. For
more information about applying the settings to specific computers, see Install the Template on a Windows Computer.

Install the Template on a Windows Computer


To install the template, copy the complete contents of the PolicyTemplates File in RSA_Authenticator_6.2.0_Microsoft_Windows_
GPO_Templates.zip package to C:\Windows\PolicyDefinitions on the computer, preserving the existing subfolder structure.

Install the Template on the Domain Controller


Install the template by copying it to the appropriate local directory or shared network location.

Procedure
Do one of the following to install the template on a Windows Server domain controller:

1. Copy the complete contents of the PolicyTemplates File in RSA_Authenticator_6.2.0_Microsoft_Windows_GPO_


Templates.zip package to C:\Windows\PolicyDefinitions on the domain controller, preserving the existing subfolder
structure.

2. Copy the complete contents of the PolicyTemplates File in RSA_Authenticator_6.2.0_Microsoft_Windows_GPO_


Templates.zip package, to the following shared network location on the domain controller, preserving the existing subfolder
structure: \\domain_name\SYSVOL\domain_name\Policies\PolicyDefinitions, where domain name is the name of the domain
containing the servers where the policy settings will apply. Create the Policy Definitions folder if it does not already exist.

50 Chapter 7: Group Policy Template


RSA Authenticator 6.2 for Windows Administrator Guide

The policies in the RSA Authenticator GPO template are installed in the default Not Configured state, and additional steps are required
to configure the settings and apply them to a domain policy. For more information, see Defining Software Token Settings.

Defining the Policy Settings


Accessing the Group Policy Object Template
This section describes how to access the template and define settings. It includes instructions for domain controllers and Windows
computers that are not subject to Group Policy. The example procedures include screens from a Windows Server operating system.

Note: Make sure that you have installed the template. For more information, see Installing Group Policy Object Template.

Access the Template on a Domain Controller


This section describes how to access the template to view and define settings.

Procedure
1. Click Start > Administrative Tools > Group Policy Management.

2. Double-click the domain name in the left-hand frame to expand it, if necessary.

3. Double-click Group Policy Objects to expand it, if necessary.

4. Right-click the policy with the template you need to edit, for example, Default Domain Policy, and click Edit.

5. Double-click Policies from Computer Configuration.

6. Double-click Administrative Templates: Policy definitions (ADMX files).

7. Double-click RSA.

Access the policy settings by double-clicking the folders.

Access the Template on a Windows Computer


This section describes how to access the template to view and define settings with the Local Group Policy Editor.

Procedure
1. Click Start > Run > Group Policy Management.

2. Double-click Administrative Templates.

3. Double-click RSA.

4. Double-click RSA Authenticator .

5. Double-click Software Token Settings.

Access the policy settings by double-clicking the folders.

Chapter 7: Group Policy Template 51


RSA Authenticator 6.2 for Windows Administrator Guide

Policy Settings
You define the policy settings by selecting one of the following options:

l Not Configured. This is the default setting of an installed policy.

l Enabled. You activate a policy setting by enabling it.

l Disabled. When you select Disabled for a policy, you deactivate the setting that was previously enabled.

Disabled is not the same as Not Configured. Not Configured is the default setting of an installed policy. You must select Enabled to
activate a policy that is Not Configured. Review each policy setting carefully.

For more information on Microsoft Windows Group Policy concepts and best practices, search the Microsoft Support website at
https://support.microsoft.com/en-us.

Defining Software Token Settings


The Software Token settings folder contains a set of GPO templates to control the actions performed by user on SecurID OTP credential.

Note: If the RSA Authenticator GPO is not configured, RSA Authenticator will honor the corresponding RSA SecurID Desktop
Token GPO, if configured, from the 5.x Authenticator. Unless the Exclude 5.0 GPO is enabled.

Allow only one AM OTP credential


Restricts the number of SecurID OTP credentials to one for each user. Importing a second credential overrides all the existing SecurID
OTP credentials.

Procedure
1. Make sure that you have installed the policies as described in Installing Group Policy Object Template. For more information, go
to Installing Group Policy Object Template.

2. Access the templates as described in Accessing the Group Policy Object Template on page. For more information, go to
Access the Template on a Windows Computer

3. Double-click the Software Token Settings folder.

4. In the right pane of the dialog box, double-click Allow only one AM OTP credential. A dialog box like below opens with a
definition of the policy.

52 Chapter 7: Group Policy Template


RSA Authenticator 6.2 for Windows Administrator Guide

5. Select one of the following:

l Not Configured. In this state, each user can import a maximum of 25 SecurID OTP.

l Enabled. This state allows only one SecurID OTP credential for users.

l Disabled. In this state, each user can import a maximum of 25 SecurID OTP.

6. Click Apply, and then click OK to return to the Software Token Settings folder.

7. Close the Group Policy Management Editor.

If the policy was modified on the domain controller, the settings load into the Windows registry after the refresh interval ends in the
domain.

Do not allow users to delete SecurID OTP credentials


Restricts the user from deleting SecurID OTP Credentials in RSA Authenticator .

Chapter 7: Group Policy Template 53


RSA Authenticator 6.2 for Windows Administrator Guide

Procedure
1. Make sure that you have installed the policies as described in Installing Group Policy Object Template. For more information, go
to Installing Group Policy Object Template.

2. Access the templates as described in Accessing the Group Policy Object Template on page.

For more information, go to Access the Template on a Windows Computer.

3. Double-click the Software Token Settings folder.

4. Double-click Do not allow users to delete AM OTP Credentials in the right pane of the dialog box. A dialog box like the
following opens with a definition of the policy.

5. Select one of the following:

l Not Configured. In this state, the user can delete the SecurID OTP credentials.

l Enabled. In this state, users cannot delete SecurID OTP credentials.

l Disabled. In this state, the user can delete the SecurID OTP credentials.

6. Click Apply, and then click OK to return to the Software Token Settings folder.

54 Chapter 7: Group Policy Template


RSA Authenticator 6.2 for Windows Administrator Guide

7. Close the Group Policy Management Editor.

If the policy was modified on the domain controller, the settings load into the Windows registry after the refresh interval ends in
the domain.

Do not allow users to change SecurID OTP credential nickname


Restricts the user from changing SecurID OTP Credentials nickname in RSA Authenticator .

Procedure
1. Make sure that you have installed the policies as described in Installing Group Policy Object Template. For more information, go
to Installing Group Policy Object Template.

2. Access the templates as described in Accessing the Group Policy Object Template on page. For more information, go to Access
the Template on a Windows Computer.

3. Double-click the Software Tokencode Settings folder.

4. Double-click Do not allow users to change AM OTP credential nickname in the right pane of the dialog box. A dialog box
like below opens with a definition of the policy.

5. Select one of the following:

Chapter 7: Group Policy Template 55


RSA Authenticator 6.2 for Windows Administrator Guide

l Not Configured. In this state, the user can change a SecurID OTP credential nickname assigned in Authentication
Manager.

l Enabled. In this state, the user cannot change a SecurID OTP credential nickname assigned in Authentication
Manager.

l Disabled. In this state, the user can change a SecurID OTP credential nickname assigned in Authentication Manager.

6. Click Apply, and then click OK to return to the Software Token Settings folder.

7. Close the Group Policy Management Editor.

If the policy was modified on the domain controller, the settings load into the Windows registry after the refresh interval ends in the
domain.

Do not allow users to configure the device password


Procedure
1. Make sure that you have installed the policies as described in Installing Group Policy Object Template. For more information, go
to Installing Group Policy Object Template.

2. Access the templates as described in Accessing the Group Policy Object Template on page. For more information, go to Access
the Template on a Windows Computer.

3. Double-click the Software Token Settings folder.

4. Double-click Do not allow users to change the device password in the right pane of the dialog box. A dialog box like below
opens with a definition of the policy.

56 Chapter 7: Group Policy Template


RSA Authenticator 6.2 for Windows Administrator Guide

5. Select one of the following:

l Not Configured. In this state, the user can configure the Device Password stored on the local hard drive.

l Enabled. In this state, the user cannot configure the Device Password stored on the local hard drive.

l Disabled. In this state, the user can configure the Device Password stored on the local hard drive.

6. Click Apply, and then click OK to return to the Software Token Settings folder.

7. Close the Group Policy Management Editor.

If the policy was modified on the domain controller, the settings load into the Windows registry after the refresh interval ends in
the domain.

Days before SecurID OTP credential expiration notification is dis-


played
Configures the application to notify the user 1 to 60 days before a SecurID OTP credential is about to expire.

Chapter 7: Group Policy Template 57


RSA Authenticator 6.2 for Windows Administrator Guide

Procedure
1. Make sure that you have installed the policies as described in Installing Group Policy Object Template. For more information, go
to Installing Group Policy Object Template.

2. Access the templates as described in Accessing the Group Policy Object Template on page. For more information, go to Access
the Template on a Windows Computer.

3. Double-click the Software Token Settings folder.

4. Double-click Days before AM OTP Credential expiration notification is displayed in the right pane of the dialog box. A
dialog box similar to below opens with a definition of the policy.

5. Select one of the following:

l Not Configured. In this state, the application will notify the user 30 days before a SecurID OTP credential is about to
expire.

l Enabled. This state, configure x days to display a warning message to the user x days before a SecurID OTP is about
to expire.

l Disabled. In this state, the application will notify the user 30 days before a SecurID OTP credential is about to expire.

6. Click Apply, and then click OK to return to the Software Token Settings folder.

58 Chapter 7: Group Policy Template


RSA Authenticator 6.2 for Windows Administrator Guide

7. Close the Group Policy Management Editor.

If the policy was modified on the domain controller, the settings load into the Windows registry after the refresh interval ends in
the domain.

Specify a SecurID OTP credential renewal URL


Used with Days before AM OTP credential expiration notification is displayed policy. Displays a URL link in the SecurID OTP
credential expiration notification.

Procedure
1. Make sure that you have installed the policies as described in Installing Group Policy Object Template. For more information, go
to Installing Group Policy Object Template.

2. Access the templates as described in Accessing the Group Policy Object Template on page. For more information, go to Access
the Template on a Windows Computer.

3. Double-click the Software Token Settings folder.

4. Double-click Specify an AM OTP Credential renewal URL in the right pane of the dialog box. A dialog box like below opens
with a definition of the policy.

5. Select one of the following:

Chapter 7: Group Policy Template 59


RSA Authenticator 6.2 for Windows Administrator Guide

l Not Configured. In this state, a user will not be displayed a URL link in the SecurID OTP credential expiration
notification.

l Enabled. This state, a user will be displayed a URL link in the SecurID OTP credential expiration notification.

l Disabled. In this state, a user will not be displayed a URL link in the SecurID OTP credential expiration notification.

6. Click Apply, and then click OK to return to the Software Token Settings folder.

7. Close the Group Policy Management Editor.

Specify a CT-KIP URL to use for downloading SecurID OTP Cre-


dential
This prefills the URL in the Registration Code field, so that the user does not have to enter the URL. To download an AM OTP credential,
the user only enters an activation code.

Procedure
1. Make sure that you have installed the policies as described in Installing Group Policy Object Template. For more information, go
to Installing Group Policy Object Template.

2. Access the templates as described in Accessing the Group Policy Object Template on page. For more information, go to Access
the Template on a Windows Computer.

3. Double-click the Software Token Settings folder.

4. Double-click Specify a CT-KIP URL in the right pane of the dialog box to use for downloading software tokens. A dialog box like
below opens with a definition of the policy.

60 Chapter 7: Group Policy Template


RSA Authenticator 6.2 for Windows Administrator Guide

5. Select one of the following:

l Not Configured. In this state, a user must enter a URL and an activation code to import SecurID OTP Credential.

l Enabled. This state, a user will be prefilled with URL in the Registration code field user just needs to click on submit
button on Add Credential Page.

l Disabled. In this state, a user must enter a URL and an activation code to import SecurID OTP Credential.

6. Click Apply, and then click OK to return to the Software Token Settings folder.

7. Close the Group Policy Management Editor.

User SID for CT-KIP activation code Procedure


1. Make sure that you have installed the policies as described in Installing Group Policy Object Template. For more information, go
to Installing Group Policy Object Template.

2. Access the templates as described in Accessing the Group Policy Object Template on page. For more information, go to Access
the Template on a Windows Computer.

3. Double-click the Software Token Settings folder.

Chapter 7: Group Policy Template 61


RSA Authenticator 6.2 for Windows Administrator Guide

4. Double-click User SID for CT-KIP activation code in the right pane of the dialog box. A dialog box similar to below opens with
a definition of the policy.

5. Select one of the following:

l Not Configured. In this state, user has to enter the Activation code if prompted with the Specify a CT-KIP URL to use
for downloading AM OTP credentials policy.

l Enabled. In this state, user SID will be used as the CT-KIP activation code with the Specify a CT-KIP URL to use for
downloading AM OTP credentials policy for Zero touch registration on the launch of application, if there are no
existing SecurID OTP credential in RSA Authenticator or if all SecurID OTP credentials in RSA Authenticator was
expired.

l Disabled. In this state, user has to enter the Activation code if prompted with the Specify a CT-KIP URL to use for
downloading AM OTP credentials policy.

6. Click Apply, and then click OK to return to the Software Token Settings folder.

7. Close the Group Policy Management Editor.

Exclude RSA SecurID Software Token 5.0 GPO Settings


RSA Authenticator will consider RSA SecurID Software Token 5.0 GPO settings if RSA Authenticator GPO is not configured.

62 Chapter 7: Group Policy Template


RSA Authenticator 6.2 for Windows Administrator Guide

Procedure
1. Make sure that you have installed the policies as described in Installing Group Policy Object Template. For more information, go
to Installing Group Policy Object Template.

2. Access the templates as described in Accessing the Group Policy Object Template on page. For more information, go to Access
the Template on a Windows Computer.

3. Double-click the Software Token Settings folder.

4. Double-click Exclude Desktop Software Token GPO Settings in the right pane of the dialog box. A dialog box like below
opens with a definition of the policy.

5. Select one of the following:

l Not Configured. In this state, all the GPO settings of RSA SecurID Software Token 5.0 settings are considered.

l Enabled. This state, all the GPO settings of RSA SecurID Software Token 5.0 settings are ignored.

l Disabled. In this state, all the GPO settings of RSA SecurID Software Token 5.0 settings are considered.

6. Click Apply, and then click OK to return to the Software Token Settings folder.

Chapter 7: Group Policy Template 63


RSA Authenticator 6.2 for Windows Administrator Guide

7. Close the Group Policy Management Editor.

8. If the policy was modified on the domain controller, the settings load into the Windows registry after the refresh interval ends in
the domain.

Unsupported Features
These features will not be available for use with RSA Authenticator :

l Connected RSA SecurID 800 Authenticator

l Internet Explorer Plug-In that display and auto enter OTP

l Storage devices like TPM or another supported device plug-in

l Older versions of Windows OS XP, Vista, 7, 8.x, Windows 10 below 1903

l Single Database for all users

l Manual Import of SecurID OTP credentials which are intended for RSA SecurID Software Token with Automation

l Roaming profile

l Localization

l 32-bit support

l Copy protection not configurable, enabled by default.

l Provisioning of SecurID OTP credential using Compressed Token Format (CTF)

Chapter 8: Troubleshooting
This section includes issues for SecurID OTP credential and Authenticate OTP credential (Approve, CAS OTP, and Biometrics) and the
available workarounds for resolving the issues.

Installation Issues 65

Troubleshooting Credentials Issues 65

General SecurID OTP Issues 67

Troubleshooting Authenticate OTP Registration Issues 67

Troubleshooting View Authenticate OTP Issues 67

Troubleshooting AM Authentication Issues 67

Troubleshooting CAS Authentication Issues 68

Information Messages 68

Troubleshooting Migration Issues 68

64 Chapter 8: Troubleshooting
RSA Authenticator 6.2 for Windows Administrator Guide

Troubleshooting Upgrade Issues 69

DS100 Troubleshooting 69

Frequently Asked Questions - RSA DS100 71

Installation Issues
The following table lists problems that users might encounter while installing the app and provides workarounds.

Problem or Message Workaround

The RSA Authenticator for Microsoft


The user has an unsupported version of Microsoft Windows. The app supports devices
Windows cannot be found in the
running Microsoft Windows 10 1903 version or later.
Microsoft store.

1. Make sure the user has a Microsoft Account to download the store apps.

The user cannot install the app from 2. The device does not have network connectivity, or a network failure occurred. Instruct the
the Microsoft Store user to establish a network connection and retry. If this is unsuccessful, instruct the user to
contact IT HelpDesk.

The device does not have enough


Instruct the user to free up space on the device.
space to install the app.

Troubleshooting Credentials Issues


The following table lists problems users might encounter when attempting to import credentials and suggests workarounds.

Problem Workaround

User Error

Follow your process to re-import the credential. If you suspect a bug,


ask the user to share the logs with Administrator using Export Logs.
To export logs, instruct the user to follow the below steps:

User says the credential is missing. 1. In the app, click About.

2. Click Export Logs.

3. Select the location where to export the logs.

Credential is missing while screen share If the whole screen is shared, please stop the screen share.

Maximum number of software-based OTP credentials


The user has already reached the maximum limit of 25 AM OTP
already registered. Delete an existing credential or contact
Credentials and attempted to import another AM OTP Credentials.
your IT Help desk to register a new one.

The user double clicked on the .SDTID file or CTKIP-URL The user must download and install the SecurID Authenticator before
and cannot import a credential. importing a credential.

Device intended for this OTP credential not found. Token


Provide a new credential bound to user device.
import failed. Contact your IT Help Desk.

Chapter 8: Troubleshooting 65
RSA Authenticator 6.2 for Windows Administrator Guide

Problem Workaround

1. OTP Credential import failed, Invalid Parameter.


Provide a new credential to user.
2. OTP Credential import failed, Invalid file format

In a file-based import (SDTID), the user forgot the SecurID


Inform the user to retry the password. If it still fails, send the user a new
OTP file password or entered an incorrect AM OTP file
credential.
password.

The user attempted to import a dynamically provisioned


The user must first establish a network connection, then try again to
SecurID OTP (CT- KIP) credential, but the import failed
import the SecurID OTP credential.
because the device does not have network connectivity.

Administrator Error

The following errors may occur because of misconfiguring the SecurID OTP distribution in Authentication Manager.

Verify that you selected the SecurID® Authenticator for Windoes 6.x
or RSA® Authenticator for Windows 6.2.x device type.
The SecurID OTP credential import failed.
Correct the SecurID OTP device binding ID and reissue SecurID OTP
credential.

The death date of the SecurID OTP credential lifetime


configured in Authentication Manager has passed (expired Provision a new SecurID OTP Credential.
tokens).

CT-KIP Errors

Correct the CT-KIP URL link and reissue the SecurID OTP credential.

l The URL link must start with the following prefix text:

securidauthenticator://ctkip?scheme=https&url=

or
The user cannot import a SecurID OTP because of an error
rsaauthenticator://ctkip?scheme=https&url=
in the CT-KIP URL link.
l The user typed the URL incorrectly or did not enter the URL.

l The user entered a blank or invalid activation code. For


example, the user omitted or mistyped characters.

l The Authentication Manager is not reachable.

In rare cases, this can occur due to a network communication failure.

The email message containing the URL link did not reach Instruct the user to refresh the mailbox. If necessary, re-send the email
user’s device. to the user’s device. Embed the custom CT-KIP URL within a hyperlink
and set the message format to HTML.

User cannot import an OTP because the wrong email Embed the custom CT-KIP URL within a hyperlink and set the message
message format was used. format to HTML.

Instruct the user to copy the link from the email and paste it in the Add
Nothing happens when the user clicks the URL links.
credential Page.

66 Chapter 8: Troubleshooting
RSA Authenticator 6.2 for Windows Administrator Guide

General SecurID OTP Issues


Problem Workaround

SecurID OTP credential expired.

Expired. 1. Instruct user to delete expired credential.

Contact your administrator to request a replacement OTP credential


2. Provision a new SecurID OTP Credential for the
user.

Troubleshooting Authenticate OTP Registration Issues


The following table lists problems users might encounter during registration.

Problem Workaround

1. Delete existing credential registered for user from CAS, or Instruct


Cannot add credential.
user to delete registered device from My Page.
Try again or contact your IT Help Desk.
2. Send the user valid registration information for re-registration.

1. Click Users > Management in the Cloud Administration


Registration blocked by a Cloud policy. Console > .

Contact your IT Help Desk. 2. Confirm if the user is enabled. If the user is already enabled, tell the
user to share the logs for analyzing the errors.

Maximum number of software-based OTP credentials The user has already reached the maximum limit of 10 Authenticate OTPs
already registered. and attempted to import another Authenticate OTP.

To register a new one, delete an existing credential from After adding max Authenticate OTP, the user must delete one Authenticate
My Page or contact your IT Help desk. OTP credential before importing another one.

Troubleshooting View Authenticate OTP Issues


The following table lists problems users might encounter during View OTP.

Problem Workaround

Pin is First delete all accounts that require a PIN to view the Authenticate OTP, then complete credential registration again for
locked those accounts.

Forgot To reset User PIN, delete all accounts that require a PIN to view the Authenticate OTP, then complete credential
PIN? registration again for those accounts.

Troubleshooting AM Authentication Issues


This section describes the workarounds to problems that users might encounter when attempting to authenticate.

Problem Workaround

User Error

The SecurID OTP was Check the Authentication Manager logs. If the token is not disabled (or expired), ask the user to read you the
disabled after too current OTP and the next OTP. After you obtain the pair of OTPS, resynchronize the token in Authentication

Chapter 8: Troubleshooting 67
RSA Authenticator 6.2 for Windows Administrator Guide

Problem Workaround

Manager.
many failed log-on
attempts. Note: Instruct users with PIN-enabled tokens to click Submit to display the passcode, no PIN is required.

Other

The time on the Microsoft Windows computer may be uncoordinated with the clock settings in Authentication
The user is unable to
Manager. The local time, the time zone, and Daylight-Saving Time must all be set correctly so that users can
authenticate.
authenticate from their devices. Instruct the user to verify that the time zone matches with the local time zone.

One or more SecurID


The user can delete the SecurID OTP credential and contact the administrator to request replacement
OTP credentials have
SecurID OTP credential or use Self-Service, if allowed.
expired.

Troubleshooting CAS Authentication Issues


Problem Workaround

The confirmation code in the app does not match with the code The user can delete the credential from the app, and re-register
that displays on the login screen. the credential.

Click Click to refresh Authentication button in RSA


After selecting push to approve during authentication, if user has
Authenticator to receive the push notification directly from the
not received any push notification in app, when it is opened .
server.

Information Messages
The following message provides feedback and instructions to the user.

Message Condition

l This message may be displayed during a CT-KIP import for a


variety of reasons, for example, if your Authentication Manager
CT- KIP implementation uses a self- signed certificate.

l Unknown Server Certificate message displayed during import of


The Authentication Manager server's SSL certificate was
SecurID OTP using CT-KIP URL.
issued by an unknown Certificate Authority. If you trust this
server, click Accept to continue. l User must Accept the server certificate for successful import of

If you don't know that the server can be trusted, click Cancel the SecurID OTP credential.

and contact your IT help desk for assistance.


l User can cross check Server Hostname before accepting the
server certificate.

l To avoid this prompt, import root CA certificate of AM to user


machine in Trusted Root CA Certificate.

Troubleshooting Migration Issues


The following table lists problems users might encounter during migration from RSA SecurID Software Token 5.0 to RSA Authenticator
6.2.

68 Chapter 8: Troubleshooting
RSA Authenticator 6.2 for Windows Administrator Guide

Problem Workaround

Migration will not perform if the installed RSA SecurID


Software Token app version is less than 5.0.
SecurID OTP Credentials are not migrated from the Desktop Application.
Verify user has credential in RSA SecurID Software
Token version 5.0.

OTP Credentials are not migrated from RSA SecurID Software Token 5.x In these scenarios, OTP credentials will not be
configured with SetSingleDatabase to TRUE, and Roaming profile. migrated from RSA Desktop Software Token 5.x

If the user prompted with the list of SecurID OTP credentials which are not Ask the user to delete existing SecurID OTP
migrated from the RSA SecurID Software Token 5.0. Credentials and relaunch the RSA Authenticator .

Troubleshooting Upgrade Issues


The following table lists problems users might encounter during upgrade of SecurID Authenticator 6.0.1/6.1.1/6.1.3 to RSA Authenticator
6.2.

Problem Workaround

Restart the Machine once in order to


After upgrade to RSA Authenticator 6.2, the user can still the old UI or old icons.
apply new UI changes and new icons.

The following table lists problems users might encounter during the upgrade of RSA SecurID Authenticate 3.6 to RSA Authenticator 6.2.

Problem Workaround

After upgradation from RSA SecurID Authenticate 3.6 to RSA Authenticator 6.2,
user cannot use the PIN which was set in RSA SecurID Authenticate 3.6 app to The user is required to set the PIN again in RSA
view the Authenticate OTP Credentials, if Authenticate OTP Credentials are Authenticator .
protected with PIN.

Users must launch the application once again to


Push notifications are not received after upgrading from RSA SecurID Authenticate get the push notification after upgrading from
3.6 to RSA Authenticator 6.2. RSA SecurID Authenticate 3.6 to RSA
Authenticator 6.2.

DS100 Troubleshooting
1. RSA FIDO Management Service Installer says it's an untrusted and / or the FIDO Management Service doesn't work,
(nonadmin user can't register an OTP on a DS100 through RSA Authenticator 6.2).

The code signing certificate was issued by a newer root certificate, the DigiCert Trusted Root G4, which was created in 2013. If a
computer / Virtual Machine (VM) is missing this newer root certificate, the UAC prompt in the image below will appear during the RSA
FIDO Management Service installation.

Chapter 8: Troubleshooting 69
RSA Authenticator 6.2 for Windows Administrator Guide

It's possible to proceed with the installation by clicking Yes, but the RSA FIDO Management Service won't function if its root certificate
isn't trusted by Windows – the root needs to be in the local computer's Trusted Root Certification Authorities.

These are the details for the required DigiCert root certificate:

Certificate Attribute Value

Common Name DigiCert Trusted Root G4

Serial Number 059b1b579e8e2132e23907bda777755c

Thumbprint (SHA1) ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

Valid From 08/01/2013

Valid To 01/15/2038

Typically, new root certificates are automatically downloaded and added to the Windows Trusted Root Certification Authorities, but there
are multiple reasons this may not happen, such as an organization's network settings blocking access to the updates or automatic root
certificate updates being disabled by GPO.

Regardless of what prevents root certificate updates, the DigiCert 4 root certificate needs to be added to each computer / VM where the
RSA FIDO Management Service will be installed.

1. Download the DigiCert Trusted Root G4 certificate from DigiCert at: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

2. Add DigiCertTrustedRootG4.crt to the Trusted Root Certificate Authorities

On a single computer

a. Open Powershell using "Run as administrator"

b. Run this command:

certutil -addstore -f root <FilePathOfCertificateInMachine>\DigiCertTrustedRootG4.crt

On Multiple Computers (Using Group Policy)

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-
group-policy

2. I am unable to download the RSA FIDO Management Service or RSA Authenticator 6.2 for Windows from RSA Community
(formerly SecurID Link/RSA Link) because I don't have and can't register for a RSA Community account.

70 Chapter 8: Troubleshooting
RSA Authenticator 6.2 for Windows Administrator Guide

Contact the RSA customer support team at 800-995-5095 for assistance.

Frequently Asked Questions - RSA DS100


1. Does a user need Windows Admin level permissions to register an OTP credential or manage an RSA DS100?

No. Although Windows 10 and higher require admin level permissions to manage FIDO Security Keys, like the RSA DS100,
RSA provides a helper utility called the RSA FIDO Management Service that automatically elevates the RSA Authenticator
6.2 and later to run with admin permissions when managing a FIDO Security Key.

The RSA FIDO Management Service is stand-alone service that needs to be installed by a Windows administrator.

2. What is the supported version RSA FIDO Management Service in order to work with RSA Authenticator?

The supported version of RSA FIDO Management Service is v1.1.0 or higher. RSA no longer supports RSA FIDO Management
Service v1.0.0.

If you have this installed in any machine, then RSA recommends upgrading to version 1.1.0 or higher immediately.

3. How the does the RSA FIDO Management Service enable non admin users to manage RSA DS100s or other FIDO
Security Keys from RSA Authenticator 6.2?

The RSA DS100 and all FIDO Security Keys communicate with applications running on a computer via the FIDO Alliance's
Client to Authenticator Protocol (CTAP).

Windows 10 and higher provides only minimal CTAP support as part of the operating system. It's possible to register FIDO
credentials, set/change the FIDO PIN, and reset the FIDO module, but there is no support for hardware vendor specific
management.

In theory, Microsoft's implementation shouldn't cause problems, because CTAP itself includes support for vendors extensions
that provide for additional hardware management. Unfortunately, Windows explicitly blocks all applications that weren't
launched with Windows admin privileges, aka "Run as administrator", from communicating with any FIDO devices via CTAP.

Web browsers like Edge, Firefox, and Chrome can go through the Windows OS limited CTAP support because browsers only
need minimal CTAP support to function correctly. Applications written by hardware manufacturers that need extended CTAP
support for things likes like firmware updates, enable/disable NFC support, registering OTP credentials, and many other
capabilities are effectively blocked for users that are NOT Windows administrators (aka most users).

SecurID Authenticator 6.1 or later for Windows contains two primary modules, the main application with complete features,
and a small "helper app" that is only capable of performing FIDO management tasks via CTAP. When the main application
needs to perform a FIDO management operation that would require Windows admin rights, it automatically calls the RSA FIDO
Management Service which runs with Windows system level permissions.

The RSA FIDO Management Service elevates the "helper app" to launch with Windows admin permission so any user can
register an OTP credential in an RSA DS100, upgrade firmware, or perform other management tasks. To prevent abuse of the
RSA FIDO Management Service, it uses a "pinned" certificate to verify it's elevating only the RSA "helper app".

4. How many credentials will an RSA DS100 hold?

l 1 RSA One-Time Password (OTP) credential

l 50 FIDO resident credentials – protected by the DS100's FIDO PIN

Chapter 8: Troubleshooting 71
RSA Authenticator 6.2 for Windows Administrator Guide

l Unlimited FIDO non-resident credentials

5. How many RSA DS100 hardware authenticators can a user register per tenant in the RSA Cloud Authentication
Service (CAS)?

Each user can register up to 5 OTP credentials from hardware authenticators and 1 FIDO Security Key per CAS tenant. This
means a single user can register up to 5 DS100s with OTP credentials per CAS tenant, but only 1 of the DS100s can be
registered with a FIDO credential.

6. Can an RSA DS100 be registered on platforms other than Windows?

Registering or deleting an OTP credential for a DS100 or updating its firmware requires SecurID Authenticator 6.1.1 or later,
running on Windows 10 1903 and higher (build 1836+). Registering only a FIDO credential is supported on any operating system
(Mac, Linux, etc) with a web browser that supports FIDO2.

72 Chapter 8: Troubleshooting

You might also like