RSA NextTokenCode

Wondering why  users RSA tokens get switch to "NextTokenCode" automaticaly and does not notify user when this is the case.  Just states incorrect username/password. We have to go in & unassign the token then reassign token.  Is there anyway to determine why these tokens get put in Nextokencode?

Thanks
ManieyaK_Citrix Systems / Network AdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
When challenged, the user enters a password that is a combination of two numbers: a personal identification number (PIN), supplied by RSA, and a token code, which is the number displayed on the RSA SecurID authenticator. The RSA SecurID scheme also supports two additional challenge-response modes: Next Token and New PIN, as described below.

For Next Token mode, it is applied in cases where the authentication process requires additional verification of the token code. The user is challenged to enter the next token code; that is, to wait for the number that is displayed on the authenticator to change, and enter the new number (without the PIN).

Also this Next Token is asked when someone has tried to login a few times with a wrong Passcode (example wrong PIN used) followed by a correct Passcode. To be sure the Passcode provided was indeed a correct code from your software token, you are requested to provide the Next Tokencode.

In summary, when your ID has failed to authenticate more than the preset number of times (the wrong passcode has been entered). This also occurs on random occasions even if you have previously authenticated so the system can validate the token is still in your possession.
0
ManieyaK_Citrix Systems / Network AdminAuthor Commented:
So why do the user's not receive a notification of this, instead just unable to log-in until we reset their token.  It should present the user with the prompt to log in using "NextTokenCode" rather than just continuously stating incorrect username & password.
0
btanExec ConsultantCommented:
Actually I see the "NextTokenCode" as only form to verify  and confirm the user claim that he/she has the possession of the token.  two use case with it appearing tends to be:

a) the token clock is different than what is expected by the server (e.g token with inaccurate clock or token time has drifted), this indicate possibly an attacker is trying to submit out of date passcodes

b) someone has tried to login a few times with a wrong Passcode (example wrong PIN used) followed by a correct Passcode. To be sure the Passcode provided was indeed a correct code from your software token, you are requested to provide the Next Tokencode.

That is native to RSA. Something only RSA will know and dictate on the specific threshold and this kind of 'adaptive' risk assessment actions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.