Prompt Authenticate Tokencode Users for PINs on Their First Authentication to Cloud Authentication Service
By default, RSA Authentication Manager 8.9 does not prompt Authenticate Tokencode users for PINs on their first authentication to Cloud Authentication Service (CAS).
Authenticate Tokencode users are prompted for PINs if you previously used the Security Console to connect RSA Authentication Manager to Cloud Authentication Service before applying RSA Authentication Manager 8.5 Patch 3. You can clear the Enable Authenticate Tokencode PIN Prompts checkbox to prevent Authenticate Tokencode users from being prompted for PINs on their first authentication to CAS. During subsequent authentications, Authenticate Tokencode users are only prompted for a PIN if their PIN has expired, or if an administrator has cleared their PIN or requires users to create another PIN. This option does not affect other types of authentication. For more information, see Using PINs During the First Approve or Device Biometrics Authentication in Set User Expectations for Device Registration and Authentication.
Clearing this checkbox does not affect the Self-Service Console or the workflow for PIN with Approve, PIN with Device Biometrics, or other types of authentication. For example:
- Users can create and change PINs in the Self-Service Console.
- Administrators can clear PINs and require users to create new PINs.
- During authentication, users who enter expired PINs for Approve, Device Biometrics, or RSA SecurID authentication are prompted to change their PINs
- Existing PIN with Approve and PIN with Device Biometrics users can still authenticate.
Other RSA SecurID tokens that require PINs continue to work as before.
You can choose to restore the previous functionality. The following procedure prompts users to create or change PINs during Authenticate Tokencode authentication.
Procedure
In the Security Console, click Setup > System Settings.
Click RSA Cloud Authentication Service Configuration.
Select the Enable Authenticate Tokencode PIN Prompts checkbox.
Click Save.
Related Articles
How DB-Push Works. Number of Views The ntpq command gives the error "Request timed out" in RSA Authentication Manager Number of Views XudaJurisdictionGetCA() call returns XrcNOTFOUND even though the CA object exists Number of Views Resynchronize a Token Number of Views Set User Expectations for Device Registration and Authentication Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
