RSA Authentication Manager On-Demand Authentication (ODA) failing with the following error: User provided incorrect On-Demand Service PIN while requesting tokencode.
Originally Published: 2017-07-13
Article Number
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
Issue
On-Demand Authentication (ODA) is failing with error "User provided incorrect On-Demand Service PIN while requesting tokencode" as shown in the authentication activity report below:
Date & Time: 2017-07-10 11:16:03.89
Log Level: ERROR
Activity Key: Principal authentication
Description: User <user ID> attempted to authenticate using authenticator “OnDemand”. The user belongs to security domain “<security domain>"
Action Result Key: Failure
Result Key: SMS_METHOD_FAILED_PIN_STAGE
Result: Authentication method failed. User provided incorrect On-Demand Service PIN while requesting tokencode.
User ID: <user ID>
User First Name: <user first name>
User Last Name: <user last name>
User Security Domain: <user security domain>
User Identity Source Name: <user identity source name>
Agent Type: 8
Agent Name: N/A
Agent IP: N/A
Agent Security Domain: N/A
Authentication Method: OnDemand
Policy Expression: (RSA_Password/LDAP_Password)+RBA
Argument 1: AUTHN_LOGIN_EVENT
Argument 2: N/A
Argument 3: N/A
Argument 4: N/A
Argument 5: N/A
Argument 6: N/A
Argument 7: N/A
Argument 8: 80022261191ca8c01c595263cb1d51dd
Argument 9: <user mobile number>
Argument 10: N/A
Instance Name: <instance name>
Client IP: <client IP address>
Server Node IP: <server node IP address>
Additional Information: N/A
Actor GUID: <actor GUID>
Session ID: <session ID>
Agent GUID: N/ACause
An incorrect on-demand PIN was entered.
Resolution
- Have the end user try again with the correct PIN.
- If the end user does not remember the PIN, you can follow below steps:
- Access the Security Console and choose one of the two options:
- From the Quick User Search, bring up the user who is having an issue.
- Alternatively, search for the user and click on the drop-down arrow next to the result and click SecurID Tokens.
- Under On-Demand Authentication (ODA), click Manage.
- Next to Associated PIN, check the option to Clear existing PIN and set a temporary PIN for the user.
An example temporary PIN could be the user's initials and last four digits of their mobile number. - Click Save when done.
- Communicate this new PIN to the user.
- Have them attempt to authenticate again to verify the fix.
Related Articles
RSA Authentication Manager Web Tier installation fails with the following error: The directory already exists! Number of Views RSA Identity Governance & Lifecycle installation fails with the following error: <install directory path>/staging/deploy/… Number of Views Provide an Offline Emergency Passcode Number of Views Provide an Offline Emergency Access Tokencode Number of Views Explanation of successful authentication followed by passcode reuse and bad tokencode messages in RSA Authentication Manag… Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.4 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8
Don't see what you're looking for?
