What is the range of tokencodes accepted by RSA ACE/Server or RSA Authentication Manager?
Originally Published: 2003-11-03
Article Number
Applies To
RSA ACE/Server
Microsoft Windows
UNIX
Token synchronization
Issue
What are RSA SecurID token sync ranges?
What is the range of tokencodes accepted by RSA ACE/Server or RSA Authentication Manager?
What is the maximum resynchronization range?
Resolution
Standard Token:
Automatic acceptance range ? 1 interval (3 codes)
Acceptance with Next Tokencode ? 3 intervals (7 codes)
Maximum limit (after 3 failures and Next Tokencode) ? 10 intervals (21 codes)
PINpad Token:
Automatic acceptance range ? 2 interval (5 codes)
Acceptance with Next Tokencode ? 4 intervals (9 codes)
Maximum limit (after 3 failures and Next Tokencode) ? 10 intervals (21 codes)
Software Token:
Automatic acceptance range ? 10 interval (21 codes)
Acceptance with Next Tokencode ? 12 intervals (25 codes)
Maximum limit (after 3 failures* and Next Tokencode) ? 70 intervals (141 codes)
Administrative resync range (all tokens): ? 12 hours (1441 codes)
* 3 failures is a default setting in an SDCONF.REC, and this single value is configurable (see administration documentation for more details)
Automatic acceptance range: A token within this range will give a Tokencode accepted as a standard authentication from an end user.
Acceptance with Next Tokencode: A token outside of the above range but within this range has a larger window where the first Tokencode is within the window and the end user is prompted for Next Tokencode during authentication.
Maximum limit range: A much larger window where the user will fail the authentication attempt and will continue to fail for three times. After this, they may type in a Tokencode within this range followed by the Next Tokencode.
Admin resync: This is the range where the administrator can use the resynchronization option in the display about the token in the ACE/Server administration menu.
First Use of Token (newly assigned token and New PIN mode): The first authentication attempt (where the user goes through the New PIN dialog) will use the Maximum limit range, since a subsequent complete authentication is then required anyway.
NOTE: The details above show fixed values - these token ranges are not configurable.
Related Articles
What is the aveksa_watchdog service in RSA Identity Governance & Lifecycle? Number of Views What is the Return Merchandise Authorization (RMA) process for SID800 tokens? Number of Views What are steps to use Microsoft CA with a SID800? Number of Views What are the steps to use a SID800 token with SecurID ready applications? Number of Views What are the custom attribute data type limits in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
