Extending Software Token Lifetimes
An administrator who has permission to assign tokens can extend the lifetime of a distributed software token that has expired or is due to expire soon. By extending software token lifetimes, you can avoid replacing expired software tokens on user devices, such as mobile phones, tablets, and PCs. Software token provisioning only needs to occur one time on each user device. RSA AM determines the token expiration date for the extended token, and AM assumes full administrative control over whether an extended token is available for authentication.
For example, a token that will expire in 15 days can be extended so that it will not expire for another 2 years. An unassigned token that expires in 2 years provides a new expiration date to the distributed token that was expiring in 15 days, and the unassigned token is deleted. The original, distributed token on the user device receives an extended lifetime in AM.
Software token lifetime extension is transparent to users. No processing steps are required on user devices, and RSA SecurID authentication continues as usual.
Extending the software token lifetime does not prevent a software token license from expiring. If a software token license expires, the software token continues to generate tokencodes, but authentication cannot occur until a new software token license is applied in AM.
Only software tokens that were distributed in RSA Authentication Manager 8.2 or later can be extended. The following tokens cannot be extended:
Hardware tokens.
Software tokens that are not distributed to users.
Active or expired software tokens that were distributed in an AM version earlier than version 8.2.
Evaluation software tokens that have a serial number in the range 000000000001to 000000000025. These tokens are provided for use with the evaluation license.
Software tokens that are already being replaced or extended. However, a token can be extended for a second time when it is close to its expiration date.
Software tokens that are not yet expired or are not yet close enough to their expiration date. The default value is 15 days. You can change this value. You change the number of days before the expiration date during which a software token can be extended.
For more information, see Configure Software Token Lifetime Extension Parameters.
SecurID Authenticate Tokencodes cannot be extended.
Extend Software Token Lifetimes
You can select software tokens and extend their expiration dates. This prevents tokens from expiring on user devices, such as mobile phones, tablets, and PCs, and avoids the need to provision each user device more than one time.
After you search for software tokens to extend, the search results display “Yes” in the Extendable column for software tokens that are eligible for extension. The extendable tokens must have been distributed in RSA Authentication Manager 8.2 or later, and the tokens must meet the other conditions for being extended, for example, the tokens must not already be in the process of being replaced or extended.
Before you begin
Your administrative role must permit you to assign tokens.
Import a token record file that contains extension token records. For instructions, see Import a Token Record File.
Procedure
In the Security Console, find one or more software tokens that you want to extend. Use one of the following methods:
Navigate From
Steps
List of tokens
Click Authentication > SecurID Tokens > Manage Existing.
On the Assigned tab, use the search fields to find software tokens.
From the search results, do the following:
Click one software token that you want to extend. From the context menu, click Extend SecurID Token Lifetime.
Or
Click more than one software tokens that you want to extend. From the Action menu, select Extend SecurID Tokens Lifetime, and click Go.
User Dashboard
In the Security Console, go to the Home page.
Use Quick Search to find the user.
Select the user for whom you want to extend software tokens.
Under Assigned SecurID Tokens, click Edit > Extend SecurID Token Lifetime.
List of users
In the Security Console, click Identity > Users > Manage Existing.
Use the search fields to find the user.
From the search results, click the user for whom you want to extend software tokens. From the context menu, click SecurID Tokens.
From the list of tokens assigned to the user, click the software token that you want to extend.
From the context menu, click Extend SecurID Token Lifetime.
The Extend Token Lifetime page displays the extension tokens that RSA Authentication Managerselected to extend the lifetime of the original tokens.
AM chooses extension tokens that have the longest lifetime. The extension tokens are deleted after the original software token expiration date is extended.
(Optional) To choose different extension tokens, click Select Different Tokens. You must select an extension token for each of the original tokens.
Note: Before selecting your own extension tokens, verify the expiration dates. The original tokens could potentially receive earlier expiration dates from the extension tokens.
Click Save & Finish.
The original tokens are updated with the new expiration dates.
No processing steps are required on the user devices, and RSA SecurID authentication continues as usual.
Configure Software Token Lifetime Extension Parameters
You change the number of days before the expiration date during which a software token can be extended. The default value is 15 days.
Before you begin
You must be an Operations Console administrator.
You must know how to use the Linux operating system.
Obtain the information required to access the appliance operating system:
Obtain the rsaadmin operating system password.
Obtain the IP address or fully qualified hostname for the hardware appliance or the virtual machine.
Enable SSH on the appliance.
For instructions, see Enable Secure Shell on the Appliance.
Procedure
On the primary instance, log on to the appliance with the user name rsaadmin and the operating system password.
Change the directory to utils. Type:
cd /opt/rsa/am/utils
and press ENTER.
Type the following command:
./rsautil store -a update_config auth_manager.extend_token_life.token_days_remaining_for_expiration number GLOBAL 503
where number is the number of days before expiration. For example, 20.
When prompted, type the Operations Console administrator password, and press ENTER.
Restart all RSA Authentication Manager services. Change the directory. Type:
cd /opt/rsa/am/server
./rsaserv restart all
Restart services on each replica instance. Log on to each replica instance, and repeat step 5 and step 6.
Related Articles
Import a Token Record File Number of Views Upgrade Internal Authentication Manager Certificates to SHA-256 Number of Views Quick Setup Guide - Connect Authentication Manager to Cloud Authentication Service Number of Views IDR SSO - Step 3: Deploy the Identity Router Number of Views Add, Delete, and Test the Connection for an Identity Source in Cloud Access Service Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Release Notes for RSA Authentication Manager 8.8 RSA MFA Agent 2.4 for Microsoft Windows Installation and Administration Guide
