Need help deploy software tokens
We have some users that want to use software tokens, and would prefer to use QR-Codes to distributed them. We are not currently deploying the self service console, our existing users all use hardware tokens, and cannot seem to find a decent "howto" guide in any of the documentation on how the deployment procedure works. Is there a simple document within RSA that details this. For example. If the user has to log into the self service console, to retrieve the QR-Code, how do they authenticate, assuming they are a new user?
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- qr codes
- RSA SecurID
- RSA SecurID Access
- securid software tokens
- self-service console
- software token distribution
- software tokens
- Token Auth
- Token Authentication
- Token Authenticator
- Token Authenticators
basically without a Web Tier, a CTKIP URL shows the internal port 7004. This is configured in your Software Token Profile. Some devices, like a Windows PC, are not capable of converting this URL to a QR Code, so that option is not in the Software Token Profile.
When you distribute a soft Token as Dynamic Seed Provisioned (CT-KIP) you get a URL like the one above, plus an activation code, which you can email and/or phone call to the customer (email the URL and have them call for the code is probably safest.) If you email both the code and the URL, someone could intercept it, but it can only be used once, so that is safety through fail-safe, if it does not import into the intended User’s device, you get them a new one which invalidates the first one.
With QR Codes, that is a subset of CTKIP which only works on specific smart phones. The difference is user must logon to the Self Service Console to get their QR Code. When you distribute a soft token with QR Code, it looks like this.
You do not see a QR code or CTKIP URL, until user logs into Self Service Console, typically with a Password, and clicks the activate link. Be sure to enable Password logon to Self Service console in the Security Console - Setup - SS Settings
RSA_Password means Internal database user with assigned password, while LDAP_Password comes from an external LDAP Identity Source like Active Directory. the / means OR, be careful with + it means AND which is two types of Authentication.
When your users logs into the Self Service Console, SSC, they can activate their Token by scanning the QR code.
So, and this is primarily what I did not understand from the documentation. Is that when the user logs into the self-service console for the first time, to scan the QR-Code, they need to be able to log in with their ID, and either an internal account or ldap account password.
So with CTKIP, user gets URL and activation code. User uses the RSA app on there phone, connects to the URL (on the self service/web tier server), and then enters the activation code. And all is good.
With QR-Code, user gets URL, but must use other device (saw this in one of the docs), and log into the self service console, select "Activate...", and then scan the QR-Code with their phone, (activation code not needed ?) and all is good.
Secondly, is the activation code still needed by the user when using QR-Code?