Assign a Temporary Fixed Tokencode for Online Emergency Access
You can give a user temporary emergency access to resources protected by RSA Authentication Manager by sending the user a temporary fixed tokencode. This tokencode can be used when a user's RSA SecurID Token or RSA Authenticator app is temporarily unavailable and the user has network connectivity to RSA Authentication Manager.
| If the user normally authenticates with this method | The user enters |
|---|---|
| RSA SecurID Token | RSA SecurID PIN + Temporary fixed tokencode |
| RSA Authenticator app | Only temporary fixed tokencode - no PIN. Note: A PIN might be required to view the tokencode on the mobile device, but this is not the RSA SecurID PIN. |
Note: A temporary fixed tokencode cannot be used to access resources protected by Cloud Authentication Service (CAS).
You can assign a temporary fixed tokencode on any primary or replica instance.
Procedure
In the Security Console, click Authentication > SecurID Tokens > Manage Existing.
On the Assigned tab, use the search fields to find the lost or destroyed token.
From the search results, click the lost or destroyed token, and from the context menu, select Emergency Access Tokencodes.
On the Manage Emergency Access Tokencodes page, select Online Emergency Access.
For Type of Emergency Access Tokencode(s), select Temporary Fixed Tokencode.
Click Generate New Code. The tokencode displays next to the Generate New Code button.
Record the emergency access tokencode so that you can communicate it to the user.
For Emergency Access Tokencode Lifetime, select either No expiration or select Expire on and specify an expiration date.
You may want to limit the length of time the one time tokencode can be used. Because the onetime tokencode is a fixed code, it is not as secure as the pseudorandom number generated by a token.
For If Token Becomes Available, select one of the following options:
Deny authentication with token.
Select this option if the token is permanently lost or stolen. This option prevents the token from being used for authentication if recovered. This safeguards the protected resources in the event the token is found by an unauthorized individual who attempts to authenticate.
Allow authentication with token at any time and disable online emergency tokencode.
Select this option if the token is temporarily unavailable (for example, the user left the token at home). When the user recovers the token, he or she can immediately resume using the token for authentication. The online emergency access tokencode is disabled as soon as the recovered token is used.
Allow authentication with token only after the emergency code lifetime has expired and disable online emergency tokencode.
You can choose this option for misplaced tokens. When the missing token is recovered, it cannot be used for authentication until the online emergency access tokencode expires.
Click Save.
Related Articles
Add a Password Dictionary Number of Views Educating Your Users Number of Views How to adjust the Access Fulfillment Express (AFX) test connector capabilities timeout value in RSA Identity Governance & … Number of Views DLP - Issue with Scanning Exchange Mailboxes Number of Views New PINs and On-Demand Tokencodes for Authentication Agents and RADIUS Clients Number of Views
Trending Articles
RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor… RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes: Cloud Access Service and RSA Authenticators RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026)
