RSA Authentication Manager 7.1 Administrator's Guide - IT Services ...
RSA Authentication Manager 7.1 Administrator's Guide - IT Services ...
RSA Authentication Manager 7.1 Administrator's Guide - IT Services ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>RSA</strong> <strong>Authentication</strong> <strong>Manager</strong> <strong>7.1</strong> Administrator’s <strong>Guide</strong><br />
Tokens Configured to Not Require PINs<br />
<strong>Authentication</strong> <strong>Manager</strong> supports authentication with tokens that are configured so<br />
that they do not require a PIN. To authenticate, instead of entering the PIN followed<br />
by the tokencode, the user enters only the tokencode displayed on the token.<br />
Note: Tokens that do not require PINs are not as secure as tokens that require PINs.<br />
<strong>RSA</strong> recommends that you configure all tokens to require a PIN.<br />
Authenticating with just a tokencode is useful in situations such as:<br />
• When a token is stored on a smart card and must be unlocked by the user with a<br />
PIN<br />
• When a software token is on a desktop and must be unlocked with a password<br />
In these situations, the resource is protected by two-factor authentication without the<br />
user having to enter two different PINs.<br />
When assigning a token, you can configure both hardware and software tokens so that<br />
they do not require PINs. For instructions, see the Security Console Help topic<br />
“Authenticate without an <strong>RSA</strong> SecurID PIN.”<br />
Distributing Hardware Tokens to Users<br />
Because hardware tokens are physical devices, you must deliver them to users before<br />
they can be used to authenticate.<br />
If your organization has a single location, the fastest and most secure method is to<br />
have users pick up tokens at a central location.<br />
If your organization has multiple locations, consider having administrative personnel<br />
at each site distribute the tokens. Alternatively, have your administrative staff travel to<br />
different locations at pre-announced times. The advantages of this method are the<br />
assurance that the hardware tokens are delivered to the right users and that they work<br />
when users receive them.<br />
Another distribution method is to mail tokens to users. Mailing hardware tokens<br />
through interoffice mail, post, or overnight express, for example, might be more<br />
practical for your organization. However, this usually involves more up-front work,<br />
such as developing a process for generating mailing labels, and verifying that users<br />
receive their tokens, to ensure success.<br />
<strong>RSA</strong> recommends that you only mail disabled tokens, which can be enabled after<br />
receipt by the correct user. Send information about how to enable tokens separately<br />
from the actual tokens or make it accessible only from a secure location. You may also<br />
want to consider grouping users so mailing can be accomplished in a controlled<br />
manner.<br />
Ultimately, you may decide to use a combination of these delivery methods. For<br />
example, if you must distribute enabled tokens to assigned users, be sure to use secure<br />
channels, such as having them delivered in person by trusted staff members.<br />
80 3: Protecting Network Resources with <strong>RSA</strong> SecurID