Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Google   

SecureID Token Activation

Contents
  1. Introduction
  2. Token usage
  3. Typical User Problems 
  4. Token Activation

 

Introduction

You now have a SecureID token assigned to you and your Unix shell was changed to a SecureID shell on one or more DMZ server accounts. Please print this document and follow each step carefully.

To authenticate yourself to the system you should now use the same login name as before and a passcode instead of password. Before you start using the token, it needs to be activated (see below).

Please understand that the token generates only a one-time password, not the whole passcode. The passcode consists of two parts PIN and one-time-password generated by token that should be entered one after another without any delimiters in between:

The first time you enter your userid on a Unix box with the SecureID installed you should see the prompt

Enter PASSCODE

instead of the usual

Enter password.

That prompt means that your authentication will now be performed using a SecureID token. Before you start using the token, it needs to be activated (see below).

Token usage

After that each time you use the token you need to enter a passcode (PIN + one_time_password). When using the SecureID token:

  1. Please do not forget that the passcode consists of a PIN and a one-time password generated by the token. You need to put your PIN first and then the 6-digit one-time password.

    2.  
  2. Each one-time password is valid to one minute only. You cannot put old password if you write it down or remember it after the password changed on the token. At the beginning I recommend waiting until a token generates a new one-time-password and only then start enter you PIN and this password.
    3.  
     
  3. If you entered the wrong passcode (for example novices often forget to enter the PIN, or generated one-time password changed before you finished to enter it), please wait until token generate next one-time password and then try again.

    4.  
  4. The token generates one-time-passwords. If you try to open two or sessions one after another, you need to wait until a new passcode will be generated. So opening three sessions need approximately 3 minutes. You cannot use the same passcode for two logins.

    5.  
  5. Detachable keychain or to pull out cord is probably the best option. A small necklace pouch can also be used. Your mileage may vary. In any case please try not to forget your token at home. In this case you will need a replacement token to be issued.
     
    6.

Typical User Problems 

  1. New SecureID users often forget to enter the PIN before the one-time password. If they enter generated one-time password twice they are put into "next passcode mode", see below.
     
  2. New users have difficulties understanding that one-time password is active for one minute only and that you should wait for the next password to be generated by the token, if the first one was rejected by the system. The same is applicable if you need to login to several servers: you cannot use the same token-generated sequence of 6 digits twice.
     
  3. If the user have entered the wrong passcode twice, he/she will be automatically put into so called "Next password mode". The latter means they will be prompted for next one-time password generated by the token, often they entered the first correct PIN+one-time-pasword combination. The second generated by the token one time password should be entered without a PIN.
     
  4. If you telnet to the server and get regular prompts for the username and password, then you need to contact the Unix admin for the box to install SecureID shell for your account.
     
  5. If a user forgets its PIN the PIN needs to be reset.
     
  6. You cannot initialize your token using ftp. Please use telnet to do so.

Token Activation

The very first time you use your token, you need to connect to the system using telnet, not ftp. The selection of your own secret PIN in the telnet session is called token activation. It is performed only the first time you use the token. This is a multistep process but the description below looks more complex than it actually is. You just need to be careful, and follow the instructions below step-by-step:

  1. User action: Open the telnet session with any server that has your  SecureID account
    2.

    System action: You will get the usual login prompt
     

  2. User action: Please enter your login id

    3. System action: The system should display prompt Enter PASSCODE instead of Enter password.
    If you do not see this prompt please contact your system administrator.

  3. User action: Please enter the 6 digit number (one-time password) displayed on your token
    4. .

    Note: At this time you do not have a PIN yet, that means that your PASSCODE will be just the 6 digits displayed on your token.)

    System action: You should get prompt "Enter PIN"
     

  4. User action:  Choose a combination of four to eight (4-8) letters and numbers that is meaningful to you and enter tham as you secret PIN.

    You can use one of your PINs for other cards to save yourself from memorizing yet another one. In any case try to avoid using birthdays or phone numbers, which can be easily discovered.

    System action: You should get a prompt to reenter your PIN again.
     

  5. User action: reenter the same PIN you chose on the prev step.

    6.  System action: The system will display the prompt "Enter PASSCODE" again.
     
  6. User action: This time you need to enter  both the PIN and generated one-time password ( passcode)

    7. Once you have set your PIN, the PASSCODE will become your PIN followed by the token display.

    Passcode = PIN + one_time_password (generated by token)

    Example:

    Your PIN:  1234  This is actually a bad PIN
    Token Code (one time password)  539825  
    New Passcode:  1234539835  Note that PIN is a prefix in the passcode

    Please also note that although the token display will change, your PIN will always remain the same.

  7. At this point you are done and you should get the system prompt. If you entered a combination


    PIN + one_time_password

    incorrectly and the system complained, please wait until one time password will change on the token (they are not reusable, they are really one-time). That also means that you cannot login to two servers using the same 6-digit one-time-password. You need to wait for the next one-time-password to login to the second server.

    You cannot login to two servers using one generated by a token 6 digit one-time-password. You need to wait for the next one-time-password to login to the second server.

    You do not need to repeat activation to other servers. They are activated automatically as soon as you activate the first server. And you need to enter Passcode=PIN + one_time_password (generated by token) combination when prompted for the PASSCODE on those servers. Just 6 digits from the token will not work.

Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 28, 2008