RSA Product Set: SecurID
RSA Product Version: AM 8.x
Authentication using hardware tokens in CyberArk fails, and the Authentication Activity Monitor logs the error: "Bad tokencode but good PIN." This occurs even when the passcode is valid.
However, testing authentication with the same token and credentials is successful through the Self-Service Console.
The failure occurs because the hardware token generates a passcode that combines a 4-digit PIN with a 6-digit tokencode, resulting in a 10-digit passcode. CyberArk does not accept passcodes of this length, leading to the "Bad tokencode but good PIN" error during authentication.
As a workaround, disable the PIN requirement for the affected hardware tokens as outlined in this article Allow a User to Authenticate Without an RSA SecurID PIN.
Alternatively, contact CyberArk Support for further assistance.
Related Articles
What does the small 3 above the blinking diamond on the RSA SecurID hardware token display indicate? Number of Views Cloud Administration Delete Hardware Token API Number of Views Assign Hardware Tokens to Multiple Users Number of Views Registering RSA SID 700 hardware tokens in Microsoft Entra ID Number of Views RSA Hardware Authenticators Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle RSA MFA Agent 2.4 for Microsoft Windows Installation and Administration Guide
