ITS Documentation

MToken Administration

S4395 • November 2014

This document provides instructions for MToken administrators—the people at the ITS Service Center and MToken Distribution Centers who distribute and manage MTokens for members of the university community. MTokens are used for two-factor authentication. Information for MToken users is in Obtaining, Activating, and Using an MToken (S4394).

Table of Contents


IMPORTANT! You must be an MToken administrator to log in to the RSA Security Console (formerly MToken Quick Admin). MToken administrators include staff members at the ITS Service Center and the people who staff the MToken Distribution Centers.

Log In to MToken Quick Admin

To complete any of the procedures outlined in this document, begin by logging in to the RSA Security Console.

  1. On the RSA Security Console Login page, enter your uniqname in the User ID field, then click OK.

  2. The password field will appear. Enter your UMICH password, then click OK.

  3. You will be prompted to enter a passcode. Enter the tokencode from your MToken, then click OK.
    NOTE: If your passcode is incorrect, the passcode field will clear without displaying an error message, and you will need to enter your tokencode again.

  4. You will see RSA Security Console Home page.


    RSA Security Console Home page

Searching in the RSA Security Console

There are several ways to search for a person or an MToken serial number in the RSA Security Console. The most convenient is to use the Quick Search box, but you can also search using the Manage Users or Assigned Tokens search links under Quick Links.

Search Using Quick Search

  1. On the RSA Security Console Home page, type the person’s uniqname in the User Dashboard: Quick Search box. User ID in the RSA Security Console refers to a person’s uniqname.

  2. Leave the drop down menu at the default of adsroot.itcs.umich.edu.

  3. As you type, the search will autocomplete as a drop down list of users.

  4. Select the appropriate person by clicking on their user entry.


    After typing the person's uniqname in the search field, select their user entry from the drop-down list that appears below.

Search for People Via Manage Users

  1. On the RSA Security Console Home page, under the Quick Links header, click Manage Users.
    TIP: You can also navigate to this page by using the toolbar at the top. Click Identity, then click Users, then Manage Existing.

  2. Adjust your search criteria as appropriate.

    • Ensure Identity Source is listed as adsroot.itcs.umich.edu.

    • Change contains to is exactly.
      NOTE: If this default value is not changed, the search may time out and return an error with no results.

  3. Enter your search terms in the empty box, then click Search.

Search for MTokens Via Assigned Tokens

  1. On the RSA Security Console Home page, under the Quick Links header, click Assigned Tokens.
    TIP: You can also navigate to this page by using the toolbar at the top. Click Authentication, then click SecurID Tokens, then Manage Existing.

  2. The page will default to the Assigned tab, which displays MTokens that are already assigned to people. Click the Unassigned tab to search for MTokens that have not yet been assigned.

  3. Adjust your search criteria as appropriate.

  4. Enter the appropriate serial number in the empty box, and click Search.

Assigning an MToken to a Person

An MToken can be assigned to any member of the university community with a regular uniqname. If a person is in the MCommunity Directory, they are listed in the RSA Security Console, regardless of whether they have an MToken. A person can have a maximum of three MTokens assigned to them at a time, and only members of the ITS Service Center can assign software MTokens.

IMPORTANT! Before assigning an MToken to a person, confirm that they have picked up a hardware MToken from an MToken Distribution Center, or installed the RSA SecurID application on their device.

  1. Log in to RSA Security Console (see login instructions above).

  2. Search for the person in the quick search box. You can search only by User ID (uniqname).

  3. After selecting the appropriate person, you will see their User Dashboard. Under the Dashboard heading, in the Assigned SecurID Tokens box, select the drop down button for Assign More Tokens.

    From the Dashboard, click Assign More Tokens

  4. Select either Assign Hardware Tokens or Assign Software Tokens, depending on what the person requested.

    1. Assigning a Hardware MToken

      1. Search for the Token Serial Number. Only unassigned tokens will be included in the search results. You can search with incomplete serial numbers.

      2. Check the checkbox next to the serial number that matches the hardware token that the person possesses, and click Assign Token(s).

        Enter the serial number of the MToken the person picked up.

      3. You will see this confirmation message: “Successfully assigned token(s) [serial number] to [uniqname].”

    2. Assigning a Software MToken

      IMPORTANT! Only staff at the ITS Service Center are permitted to assign software MTokens.

      1. Select the radio button next to the next available serial number, then select Assign token(s).

        Select the next available software MToken serial number from the top of the list.

      2. You will be prompted to select a software token profile, and under the Software Token Profile header, select the software token profile that corresponds to their device from the drop-down menu.

        Select the software MToken profile that matches the person's device type from the Software Token Profile drop down.

      3. Click Save and Distribute.

        Click save and distribute

      4. Two URLs will be displayed, one with a code and one without. Email the person their software MToken activation details. If the person has a software MToken

        • On a mobile device, send the combined URL with activation code.

        • On a computer, send the URL without activation code and the activation code separately.

        IMPORTANT! Activation emails should only be sent to umich.edu addresses

        For a computer software MToken, send the URL and activation code separately. For a mobile device, send the combined URL with activation code.

        IMPORTANT! The person must copy and paste the entire content of the URL (beginning with COM.RSA) into the address bar of a web browser on their device. The web browser may display a blank page (Chrome) or redirect to the RSA SecurID application (Safari). If the application does not automatically open, have the person open the RSA SecurID app to ensure that the application is activated and displaying numbers. Clicking on only the highlighted portion of the URL will not work.

    3. To send the software MToken activation URL to a user after an MToken has been assigned, follow these instructions:

      IMPORTANT! Only staff at the ITS Service Center are permitted to assign software MTokens.

      1. In the user dashboard, check the checkbox next to the MToken that you just assigned to the person. Click the arrow next to Edit and select Distribute.

      2. Then, follow steps 2-7 above.

  5. At this point, the person should go to the MToken Service Center website to test their MToken.

  6. Encourage the person to enroll in MToken security questions to enable self-service emergency access in the future if they forget their MToken.

Unassigning an MToken

If a person leaves the university, no longer needs their MToken, or is replacing an MToken with a new one, their MToken will need to be unassigned. If a person is replacing one MToken with another, the old MToken is automatically unassigned during the Replace MToken process on the MToken Service Center website. However, if a person no longer needs their MToken, follow these steps to manually unassign it using the RSA Security Console.

  1. Log in to the RSA Security Console (see login instructions above).

  2. Type the person’s uniqname in the Quick Search box, then select the appropriate person from the drop-down list of search results that appears.

  3. Ask the person for the serial number of the MToken that needs to be unassigned.

    • Hardware MTokens have serial numbers listed on the back.

    • Software MToken serial numbers can be found by pressing the (i) button in a mobile app, or by clicking Token Information in a computer application.

    NOTE: Only one MToken can be unassigned at a time. If a person has multiple MTokens to be unassigned, you must unassign them one-at-a-time.

  4. In the list of serial numbers in the Assigned SecurID Tokens box, select the appropriate MToken serial number.

  5. Click the drop down arrow next to Edit (do not click Edit) at the bottom of the Assigned SecurID Tokens box.

    Check the checkbox next to the MToken serial number, then click the arrow next to edit, then click unassign.

  6. Click Unassign Token in the dialog box that appears to confirm the unassignment.

Once an MToken has been unassigned, it can be reassigned to another person. After unassigning an MToken, advise the person to either return their hardware MToken to an MToken Distribution Center for reuse, or to uninstall the RSA SecurID application from their device.

Enabling a Disabled MToken

If a person calls to report that they have found their lost MToken, you need to determine if the MToken has already been replaced or if it has been disabled.

  • If the MToken has been replaced, the recovered MToken will need to be returned to an MToken Distribution Center.

  • If a replacement MToken has not been assigned, the person should cancel their replacement request and you can enable the previously disabled MToken.

Follow these steps to enable a disabled MToken:

  1. Log in to the RSA Security Console (see login instructions above).

  2. Type the person’s uniqname in the Quick Search box, then select the appropriate person from the drop-down list of search results that appears.

  3. In the list of serial numbers in the Assigned SecurID Tokens box, check the checkbox next to the appropriate MToken serial number. Disabled MTokens will have a checkmark in the Disabled column.

  4. From the drop-down arrow next to the Disable button at the bottom of the box, select Enable.

    Check the checkbox next to the MToken serial number that is disabled and click the disable button, then select enable.

  5. Click Enable Token(s) to confirm.

  6. Have the person go to the MToken Service Center website to test their token by clicking Test MToken. The person can also test their MToken by logging into the desired application.

Unlocking a Person's MToken Profile

If a person incorrectly enters their MToken tokencode too many times in a row, their profile will be locked and each MToken that is assigned to them will be placed in Next Tokencode mode. This causes the user profile to locked. You need to unlock it to allow the user to use their MToken. (Before November 2014, resetting the MToken fixed this problem; that no longer works.)

  1. Log in to the RSA Security Console (see login instructions above).

  2. Type the person’s uniqname in the Quick Search box, then select the appropriate person from the drop-down list of search results that appears.

  3. In the User Profile box, the Locked Status will display. If the Locked Status is Locked, click Unlock to unlock the user.

    This person has a locked status of locked listed in user profile. Click unlock to unlock their account. Their MTokens are also in next tokencode mode because there are checkmarks in the Next TC column of assigned SecurID tokens.

  4. Click Save.

  5. If an MToken is in Next Tokencode mode, a checkmark will appear in the Next TC column of the Assigned SecurID Tokens box.

  6. To remove an MToken from Next Tokencode mode, have the person test their MToken on the online MToken Service Center by logging in and clicking Test MToken. After entering a tokencode, they will be prompted to enter the next tokencode. After entering that tokencode, the MToken will no longer be in Next Tokencode mode. Removing one MToken from Next Tokencode mode will remove any additional MTokens assigned to the person from Next Tokencode mode.

Resynching an MToken

If the time on the MToken server is inaccurate or does not match the time on an MToken, the MToken may need to be resynchronized. A person can also resynchronize their own MToken by visiting the MToken Service Center website and clicking Resync MToken below the assigned MToken that needs to be resynchronized.

  1. Log in to the RSA Security Console (see login instructions above).

  2. Type the person’s uniqname in the Quick Search box, then select the appropriate person from the drop-down list of search results that appears.

  3. Locate the correct MToken serial number in the list under Assigned SecurID Tokens for the person, and check the checkbox to the left.

  4. Click the drop-down arrow next to Edit (do not click Edit) at the bottom of the Assigned SecurID Tokens box, then select Resynchronize Token.

  5. In the dialog box that appears, enter the current tokencode and the next tokencode (ask the person to provide these), then click Resynchronize. People with hardware MTokens will need to wait 60 seconds for the tokencode to change, but people with software MTokens can advance to the next tokencode by pressing the arrow icon within the RSA SecurID app.

    Enter the current code then the next code on the MToken then click Resynchronize.

  6. A confirmation message will appear to verify success.

Providing an Emergency Access Code

A person with an MToken who has not set up security questions and answers can phone the ITS Service Center for an emergency access code if they lost, forgot, or broke their MToken. Service Center staff can verify the person’s identity through other means and then provide an emergency code. The person should be encouraged to set up security questions and answers so that they can obtain an emergency access code themself in the future if need be. A new emergency access code can be assigned if the original one is lost.

  1. Log in to the RSA Security Console (see login instructions above).

  2. Type the person’s uniqname in the Quick Search box, then select the appropriate person from the drop-down list of search results that appears.

  3. In the list of serial numbers in the Assigned SecurID Tokens box, locate the appropriate MToken serial number for the person and check the checkbox to the left.

  4. At the bottom of the Assigned SecurID Tokens box, click the drop-down arrow next to Edit, then select Emergency Access Tokencodes.

  5. A dialog box will appear. Under the Online Emergency Access header, check the checkbox next to Enable authentication with an online emergency access tokencode.

    Check the checkbox for enable authentication with an online emergency access tokencode, then more options will appear

  6. The dialog box then displays the option to select Type of Emergency Access Tokencode(s). Select the radio button for Temporary Fixed Tokencode, and several more options will appear.

    Select the temporary fixed tokencode radio button, then more options will appear.

  7. To generate a code, click Generate New Code, and an eight-character code will appear to the left of the button. The code will be a random mix of numbers and lowercase letters.

  8. The Emergency Access Tokencode Lifetime will by default be set to expire in two weeks. Change the expiration date of the code to expire on the next business day for greater security. You can set the expiration date to be later if requested or a business need requires it.

  9. Leave the If Token Becomes Available selection of Allow authentication with token at any time and disable online emergency tokencode as is. This allows the person to authenticate with their MToken if they find it later.

    click generate new code and a code of numbers and lowercase letters will appear to the left of the button.

  10. Read the emergency access code to the person, then click Save to assign the temporary code to the person.
    NOTE: The emergency access code will no longer be visible after clicking save. You can regenerate it by going through the steps again. A new code will be generated each time.

  11. If the user needs a temporary password for longer than one business day, click either the By Days/Hours or the By Date/Time radio button. Enter the corresponding parameters.

  12. Click Apply.

  13. Have the person go to the MToken Service Center website to test their emergency access code by clicking Test MToken. The user can also test their emergency access code by logging into the desired application.

Resetting MToken Security Questions

If a person forgets the answers to their MToken security questions, they can be reset (or cleared) so that the person can set them up again.

  1. Log in to the RSA Security Console (see login instructions above).

  2. Type the person’s uniqname in the Quick Search box, then select the appropriate person from the drop-down list of search results that appears.

  3. In the User Profile box, select Edit User. Under the Account Information header of the dialog box that appears, check the checkbox for Clear user answers to security questions. If the checkbox is grayed out and unable to be clicked, the person has not enrolled in security questions.

    Check the checkbox next to security questions to clear user answers to security questions.

  4. Click Save to confirm.

If the person is already logged into the MToken Service Center website, they may need to refresh the page before they are able to enroll in new MToken security questions.

Replacing an MToken

If a person visits an MToken Distribution Center with an expired or broken MToken, or if they have lost their MToken, the administrator can unassign the expired, broken, or lost MToken and assign a new one to the person.

  1. Unassign the expired, broken, or lost MToken.

  2. Assign the new MToken.

  3. If the person would like to replace their hardware MToken with a software MToken, direct them to the instructions for Replacing an MToken in Obtaining, Activating, and Using Your MToken (S4394). Advise the person to return their hardware MToken to an MToken Distribution Center after they activate their replacement software MToken.

MToken System IDs

MToken system IDs can be requested from the ITS Service Center.

Additional Resources

Visit ITS's Information System to obtain ITS computer documentation and other resources. A list of relevant documents follows:

The ITS Service Center provides a variety of computing help resources.

For further help with this or any other topic, call 734-764-HELP [4357] or submit an online service request.