Skip navigation
All Places > Products > RSA SecurID Access > Blog
1 2 3 Previous Next

RSA SecurID Access

128 posts

As we all are transitioning to embrace the new normal and support the remote workforce, there is an unprecedented need to keep the endpoints secure without compromising convenience. It is critical that we take steps to enable the dynamic workforce to access resources by providing a frictionless and seamless experience. We are excited to provide updates as part of June, 2020 Release that perfectly align with this objective.



RSA® MFA Agent for macOS® 


Endpoint security is a major concern for CSO and IT managers. Given the pandemic situation, there is a significant increase in the number of end-user devices (especially through laptops and desktops) trying to access the corporate network remotely, along with a corresponding increase in the number of hackers trying to compromise. With RSA® MFA Agent for macOS®, organizations can protect and ensure secure logins to the macOS® laptops and workstations. RSA® MFA Agent for macOS® works with RSA SecurID Access Cloud Authentication Service to require users to provide additional authentication to sign into macOS® consoles, whether they are online or offline. 


Today’s enterprises understand and acknowledge the need to manage identities in a dynamic fashion given their dynamic environment and dynamic workforce. Although strong authentication is top of mind, convenience and user experience are no longer a secondary priority. Defying the “more-is-more" approach, customers and users want to manage minimum set of authenticators for an efficient and seamless experience across use cases.  


Above statement being our preamble of the RSA® MFA Agent for macOS®,  authentication options available to end-users are  Push to Approve, RSA SecurID Authenticate Tokencode and RSA SecurID Tokens when things are all fine.
The Agent falls back to Authenticate Tokencode when users are offline and offers Emergency Tokencode option when they have no access to authenticators. With RSA SecurID Access, users are always connected securely. 


By protecting the macOS machines not just during user logins but also during screen unlocks and with the no-fail-open design, RSA ensures there is no “slip through the cracks” situation even when the Agent is unreachable to the Cloud Authentication Service.


To know more and watch the the MFA Agent in action, 

Cake for All! Secure & Convenient Login for The New Enterprise for macOS®  

Watch RSA® MFA Agent for macOS® In Action


View and Track License Usage Information  


Understanding the product usage is an important factor for planning and forecasting future license upgrades. Customers can view their current usage of MFA on RSA SecurID Access and Authenticators registered for the service. Administrators can access the following information to determine:

  • Number of users with Multi-factor authentication (MFA) licenses 
  • Number of users with third-party FIDO authenticators
  • Number of SMS/Voice Tokencodes consumed 


This data is refreshed automatically every hour to ensure that administrators have visibility to the most recent information.


Get More Out of Enterprise and Premium Editions of RSA SecurID Access with the Third Party FIDO Authenticators 


We all know how effective FIDO is when it comes to thwarting phishing and man-in-the-middle attacks. FIDO Alliance promotes and supports the stronger authentication standards that help reduce the over-reliance on the passwords. So is RSA!  


In December 2019, RSA partnered with Yubico® to address the needs of a dynamic workforce and provide modern and frictionless authentication experience with the FIDO authentication solution. With FIDO2 and RSA SecurID Access Authentication services, RSA customers enjoy the passwordless experience while accessing SaaS and web applications.  


Until recently, the customers had to purchase RSA SecurID MFA licenses to use FIDO/FIDO2 authenticators. With this change, we are removing the frictions for the enterprises to adopt and build stronger and more modern authentication strategies.  


FIDO Authentication Support  


While we are talking about extending the support for FIDO, why not talk about RSA SecurID Authentication API. RSA SecurID Authentication API, a REST-based programming interface that allows RSA customers and partners to leverage MFA capabilities for the custom-built applications.


In the June release, RSA SecurID Authentication API supports FIDO/FIDO2 as authentication method along with the existing MFA methods. To supplement FIDO as part of authentication, RSA SecurID Access supports managing the entire lifecycle too. RSA understands, for the organizations to begin using FIDO at scale, it requires more than just the authentication support for the protocol. At the initial login authentication attempt, users can enroll their FIDO authenticators or keys before using them as part of multi-factor authentication methods. By providing users with the ability to manage

the keys with self-service and in-line registration, RSA removes barriers for organizations and technology partners to adopt RSA SecurID Authentication support for FIDO.  



To learn about additional updates coming out in June 2020, see June Release Notes. 


Organizations today are reeling from decisions made at the start of the “New Normal”. These decisions were made during a rapidly deteriorating situation happening on a global scale, all in response to continually evolving mandates issued by different levels of government. Action on these decisions was swift, of the business simultaneously, and fundamentally changed how the business functioned on a day-to-day basis.


The New Normal results in a widely distributed Remote Workforce.

The Remote Workforce that must use the internet to access Corporate Resources.

Corporate Resources are accessed from the home office using All Available Machines.

The Machines that keeps the lines of business running in The New Enterprise.


As the “New Normal” begins to stabilize, organizations are starting to understand the impact of these changes. One such need is the ability of the remote workforce to securely log in to machines running macOS® and use them to access corporate resources. Prior to this, organizations had little appetite to secure these machines because their numbers were relatively small and easy to track and manage.


Today, these machines are used by the remote workforce in all parts of the world. They are connected to the internet using a variety of consumer grade networking equipment and broadband service providers. More importantly, there are no guarantees of physical access security to these machines. New problems are revealed as the lines of business continue to allow the use of macOS machines by the remote workforce. Solving them will require a New Enterprise Grade solution that can meet the needs of both users and administrators in the "New Enterprise".


Users need Convenient Login to macOS any time whether Online or Offline with No Fail-Open.

Administrators need Secure Login to macOS anytime whether Boot-Up or Wake-Up.


Announcing the Launch of RSA MFA Agent 1.0 for macOS


Today, RSA® proudly launches RSA MFA Agent 1.0 for macOS; an important step for a New Enterprise Grade endpoint protection solution. This agent is the culmination of many years of experience from securing Windows® and Linux® machines belonging to organizations of all sizes and verticals. You will discover that this agent fulfills the needs of both users and administrators while they adapt to the "New Enterprise". Additionally, you can learn how we do this for Windows and Linux machines in the “Eat More Cake!” blog and the Pluggable Authentication Module (PAM) announcement.     


Convenient Login Whether Online or Offline with "No Fail-Open"


Users want a quick and easy way to log in to macOS. Many users do not want to carry different devices all the time just to log in. They do not want to figure out if their macOS machines are connected to the internet just to log in with the right device. All they want is to carry one device and use one app to log in to their machines.


RSA MFA Agent for macOS lets users log in using a choice of Approve, Authenticate Tokencode, Emergency Access or RSA SecurID® Token that is convenient anytime the machine is online. Gone are the days when users get limited access to the machine when offline with our deliberate use of a "No Fail-Open" design. The agent automatically protects the offline machine using one of the most secure options, Authenticate Tokencode. Users can conveniently log in to their machines with this when offline, just as they do when online.


Secure Login Whether Boot-Up or Wake-Up


Users typically log in to their macOS machines at the log in or lock screen. Of these two places, users most frequently log in at the lock screen, because the machine automatically locks itself when the user has not interacted with it for a while. Examples of this include users stepping away for a short break or when moving to a new meeting room and reopening the laptop lid to use it. The log in screen by comparison happens only when the machine is turned on or restarted.  


Any secure desktop protection solution that uses a Fail-Open design without protecting the lock screen really takes the cake! Not only can someone gain access to the machine by figuratively pulling the network cable, they can stay logged in with just the username and password. Requiring users to login with Authenticate Tokencode using our innovative "No Fail-Open" design, preventing login bypass, at both log in and lock screens, even when the machine has no connectivity, is how we do it better.


Ending on a Sweet Note


As we enter the "New Enterprise" era, organizations are reevaluating their Identity and Access Management (IAM) solutions in use more than ever. They will not accept so-called "Enterprise Grade" solutions that favor convenience or security at the expense of the other while operating in the "New Enterprise". They want to have their cake and eat it too. With RSA SecurID Access, organizations can get a convenient and secure solution that is balanced, but getting one that is New Enterprise Grade is just icing on the cake.



An organization or lines of business within organizations should consider having an integrated authentication strategy and framework. An authentication solution should aid in advancing that framework in meeting specific identity and security objectives. Such organizations looking at free Microsoft Azure AD MFA or RSA SecurID Access need to use these critical elements when building or supporting such authentication framework. 


Protect applications beyond Windows-based and browser-based

Most organizations will continue to manage a hybrid IT model with non-windows applications and infrastructure existing in both cloud and on-premise. These infrastructure systems like switches, routers, VPN’s, server systems (*nix) need privileged access by super-admins. IAM teams need to think about how to securely enable 2FA/MFA for those privileged admins and end-users with a native integration that doesn’t compromise user experience. RSA SecurID Access provides an agent-based approach that can protect remote access infrastructure such as VPN’s, Citrix access gateway Windows Remote desktop sessions, critical server environments including Linux systems.


Support non standard protocol applications through a combination of technology ecosystem and an extensible API model

For legacy applications that do not support standard protocols (eg. SAML, RADIUS, OIDC) organizations need to think about extending MFA capabilities using an API approach or pre-built integration with technology vendors.  RSA Ready program helps organizations have an out of the box certified integrations with 500+ applications through 100+ technology vendor partnership. RSA SecurID Access can enable MFA to non-browser or non-SAML based applications through native integration with network vendors such as Palo-Alto Networks or provide out of the box MFA integration with electronic medical records applications such as Epic systems. RSA SecurID Access helps organizations to extend their deployment to meet enterprise grade requirements by exposing API/SDK for any custom integration.


Support dynamic workforce with authentication choices and a simplified experience across the entire MFA lifecycle including user onboarding

Supporting a broad range of user types and providing clear paths for those users to self-register any MFA method consistently as part of on-boarding is critical. RSA SecurID Access on-boarding experience through out of the box capability or extensible REST APIs helps organizations to create simplified user experience while on-boarding users all backed by a powerful policy engine. Besides on-boarding, a framework needs to handle what/if scenarios such as credential recovery and emergency access. What if users need a break glass approach to gain access to applications or self-service capabilities when their phones are misplaced or forgotten. What if contractors need 1-time code to access systems without the overhead of distributing tokens or using mobile phones. RSA SecurID Access provides options to help handle emergency situations and variety of user types and scenarios.


As discussed above any security sensitive organization looking to advance their authentication framework should consider appropriate critical elements.  IAM practitioners within those organizations need to contemplate whether having a free solution advances or restricts those elements in supporting diverse workforce access applications across their hybrid IT environment. 

As each lines of business (LOB) within an organization procure their own authentication solution the overhead costs of managing such solutions needs to be evaluated.  Does this island of point solutions drive additional process challenges and more disconnected authentication framework for an IAM team? Below are key discussion points to ponder before going down the path of implementing multiple authentication solutions


Reproducing & managing integrations & automation with multiple authentication platforms may prove costly

Organizations invest in the automation and integration of an authentication platform with existing security tools such as an SIEM platform, governance tools for collecting, reporting and regularly auditing of access events.  RSA SecurID Access enables those organizations to automate the process or workflow during on-boarding of users, distribution of MFA credentials and sharing of data for auditing needs. Replicating these integrations and automation across security systems using a second authentication platform may add additional cost and resourcing challenges.


Reflect on process challenges when considering multiple authentication platforms

Often rolling out or upgrading an MFA infrastructure requires a common buy-in across desktops, mobile, infrastructure, remote access and security teams. This required interaction creates process friction and overhead within some organizations.  Hence using native integration & out of the box capabilities provided by an authentication platform is critical in reducing such friction for IAM team’s success. RSA SecurID Access has such native integration capabilities through agent-based model, out-of-the-box integration with infrastructure vendors (eg. VPN, firewalls, virtualization platforms) and support for both hardware and virtual appliances. IAM teams should reflect on such process challenges and associated friction when adding yet another authentication solution in their toolbox to solve point use-cases.


Reduce user education and training costs and improve productivity through a single authentication platform

Educating and training users with two different authentication experiences provided through different solutions is a challenge when those users require the broadest set of authentication options to access applications. IAM teams considering two different authentication solutions as part of their tool set should consider looking at possible overhead of staffing and technical training of help desk team members in supporting those solutions. RSA SecurID Access helps build consistent end-user experience across the broadest set of applications and widest authentication choices that reduces the overhead of training and educating end-users. In addition, the IAM teams can improve overall help desk costs by choosing a single vendor that provides consistent experience in supporting users across a hybrid environment. 


Managing multiple authentication platforms doesn't end with technical, people or process challenges for IAM teams. The invisible costs extends to vendor management challenges, security teams managing vulnerabilities and fixing those gaps across multiple point products, and more. As an IAM practitioner one needs to evaluate and reflect on holistic value achieved through using one versus multiple authentication platforms that meets an organization's broadest set of security and identity needs. 

The word free has multiple meanings according to the Merriam-Webster dictionary. Among them are “not restricted”, “not costing”, “relieved from something burdensome”. When a solution is free or bundled with Enterprise License Agreements (ELA) and is used as key decision driver towards purchasing or rolling out Multi-Factor Authentication (MFA) the hidden costs are overlooked leading to return on investment challenges. An Identity and Access Management (IAM) influencer or a decision maker thinking about free Microsoft Azure AD MFA need to consider the following three criteria and associated questions while making such decisions.


  1. A consolidated authentication framework to support diverse user population, variety of infrastructure & applications while mitigating identity specific attacks. Do organizations feel restricted or advancing in developing a consolidated authentication framework using a free solution?
  2. Overhead costs related to people & processes from supporting multiple vendors and managing multiple authentication platforms. Does having multiple authentication vendors cost organizations more?
  3. An authentication platform that helps IAM teams meet different regulatory requirements while supporting strong security policies. Do free solutions burden IAM teams more when trying to address MFA requirements as part meeting their regulatory needs (eg. PCI-DSS, DFARS, EPCS) ?


If the answer is a resounding yes to the above questions the next series of blogs will provide guide paths and recommendations on how to address those questions effectively. These recommendations should enable organizations & IAM teams make an informed decision when considering RSA SecurID Access or free Microsoft Azure AD MFA for their authentication needs.


Organizations have been subjected to more regulations (eg. New PCI standards, CCPA etc.) than before and this creates additional burden for IAM teams to keep up with such regulatory requirements. An authentication platform should be able to help meet such regulations while helping meet security and privacy requirements. As an IAM practitioner one needs to consider the following guide paths when considering a free Microsoft Azure AD MFA or RSA SecurID Access or any authentication solution.


  • Regulatory requirements - A single platform that helps address organizations myriad regulatory MFA compliance requirements

Some regulations mandate strongest form of authenticators as per the NIST assurance levels (eg. AAL 2 and 3) for your workforce. An example is EPCS where strong proofing, 2FA and access logging are required for prescribing electronic prescriptions. RSA SecurID Access can enable such organizations with in-person proofing and secure distribution of 2FA tokens out of band. For organizations subjected to DFAR,  RSA SecurID Access can provide FIPS compliant solution to meet 2FA requirements. The PCI-DSS 2.0 regulations call for knowledge of success or failure of a factor is not provided to individuals until all factors have been submitted. RSA SecurID Access can support such requirements through multi-factor and multi-step process for network login into secure cardholder environment.


  • Unified visibility across cloud and on-premise (hybrid) infrastructure to help meet auditing needs

Auditors need visibility into which users had access to applications and systems on both cloud and on-premise infrastructure.  Specifically, they need data on users, applications accessed, level of authentication used to gain access to those systems. RSA SecurID Access enables such visibility into an organization’s access infrastructure through out of the box reporting and the ability to export such events to external systems for further reporting or analysis. With a hybrid IT model (on-premise and cloud applications), IAM teams will benefit from a platform that provides comprehensive view of all user access events across multiple applications types and user population.


  • Security teams – Reduce identity specific attacks with a powerful policy engine

Security policies need to support different assurance levels based on sensitivity of applications and user level risk. IAM teams need to manage policies centrally that helps in achieving such assurance levels through right level of authentication assurance.  RSA SecurID Access provides different assurance levels so that the right level of access controls are implemented. Organizations can use the behavioral analytics risk engine to determine user level risk against peer population based on application, device or location anomaly that can be used on day one.  

With a combination of powerful assurance level driven policy engine and behavioral risk capabilities security teams can be rest assured to mitigate identity threats and support their broader security goals.


  • Privacy requirements - A solution needs to understand and help with an organization’s privacy stature

Users have privacy concerns around security teams  installing apps on their mobile devices.  Some security policies mandate that no phones are allowed inside call-centers or data centers. An authentication solution should be flexible to accommodate such requirements. RSA SecurID Access can help  meet such requirements through a hardware OTP tokens or FIDO keys.  

Some organizations are subject to strict data residency requirements (eg. Europe) due to the countries that they operate in. RSA SecurID Access has data centers in local regions where data never leaves the respective regions borders to support data protection and privacy requirements.  


Evaluate whether a free MFA solution from Microsoft will help breeze through such regulations, security and privacy requirements. RSA SecurID Access can help untangle complexity and reduce burden for IAM teams by helping meet such regulatory requirements.

Better Together: SecurID Access with your SIEM Platform



Everyone wants better visibility into the behaviors (or misbehaviors) of their users. We are often asked by customers a simple question. What should we watch out for? 


The RSA SecurID® Access Cloud Authentication Service produces a large list of events for a variety of purposes. These are emitted from both the Cloud Service itself and the supporting Idenity Router virtual appliance clusters. These events are intended to be used for a variety of purposes, including:


  • Security and Event monitoring
  • System health
  • Supporting audit activities
  • Troubleshooting system or integration issues


These events fall under three major categories and severity levels: Administration, System and User events. 


To help you get started, we have collated a shortlist of events that may be of interest. We emphasised events that were related to security and critical health warnings. Be warned! This list does not encapsulate every possible event of interest for your deployment and is not intended as an exhaustive list specific to your organisation.


RSA recommends augmenting this guidance with your knowledgeable delivery partner or with  RSA Professional Services to help provide specific advice for YOUR organisation. 

Furthermore, when alerting on events related to the SecurID Cloud Risk Engine, this provides an additional dimension of visibility around suspicious behaviour. This is relevant even if your organisation does not use the risk engine to drive down the frequency of user challenge - even organisations that wish to challenge specific apps or users can gain the benefits of the risk engine as a monitoring tool for user and device behaviour.


Please consult the full list of Cloud Service Events here:

If you are a lucky customer that uses the RSA Netwitness Platform as your SIEM, consult the official documentation on how to connect it to the Cloud: 


If you have another SIEM platform, also consult the following document on how to pull Cloud Service Events into your SIEM via the Cloud Event API:


Cloud Administration Events

It is recommended that all administrative activity relating to SecurID Cloud Authentication Service be examined as this represents changes to a system that may have broad reaching consequences. A list of activities that should be monitored is presented in the following table.


Activity Key

Activity Code


 Suggested Action



Admin {0} sign-in failed

Repeated failures should be alerted upon



System locked admin {0} account




System unlocked admin {0} account




Admin {0} deleted access policy {1}




Admin {0} deleted identity router {1}




Admin {0} reset the identity router {1} password




Admin {0} deleted cluster {1}




Admin {0} deleted trusted location {1}




Admin {0} deleted all trusted locations




Admin {0} deleted trusted network {1}




Admin {0} deleted all trusted networks




Admin {0} deleted admin user {1}




Admin {0} deleted application {1}




Admin {0} deleted relying party {1}





Cloud System Events


System events trigger the following messages to appear in the System Event Monitor.


Event Code




Suggested Action



Identity Source Sync

Identity source synchronization not completed successfully.




Identity Source Sync

Users are missing one or more unique identifiers. Check the user attribute configurations in both the cloud identity source and the directory server.




Identity Router

Identity router cannot initiate contact with the Authentication Manager server.




Identity Router

Identity router cannot connect to Authentication Manager - Unknown error.




Identity Router

The identity router cannot connect to any configured identity sources.




Identity Router

The identity router cannot connect to some configured identity sources.




Identity Router

Some of the configured DNS servers are not working properly.




Identity Router

None of the configured DNS servers are working properly.




Identity Router

Identity router CPU usage exceeds the threshold limit.




Identity Router

Cluster is offline and not in quorum. No configured identity routers are online.




Identity Router

Identity router memory usage exceeds the threshold limit.




Cloud User Events


Event Code



Suggested Action



Authenticate Tokencode authentication failed - Invalid tokencode.

Alert on repeated attempts



Authenticate Tokencode authentication failed - Previously used tokencode detected.

Alert on repeated attempts



Identity router API tokencode authentication failed - Cloud Authentication Service unreachable.

Alert – IDR unable to reach cloud



Identity router API user status check - Identity source unreachable.

Alert – LDAP unavailable



LDAP password authentication failed - Cannot establish a trusted SSL/TLS connection with the LDAP directory server. Check for invalid certificate.

Alert – LDAP unavailable



LDAP password authentication failed - Sign-in failure: unknown username or invalid password.

Repeated failures should be alerted upon



LDAP password authentication failed - LDAP account locked out.

Alert – user locked out



Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact identity router.

Alert – IDR unavailable from Cloud



Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact directory server.

Alert – LDAP unavailable for sync



RSA SecurID user authentication failed - RSA SecurID service is not available.

Repeated failures - alert – Cloud service down?



Portal sign-in failed - Password reset required.

Alert  Possibly to alert helpdesk



Protected application authentication failed.

Repeated failures should be alerted upon



Additional authentication failed.

Repeated failures should be alerted upon



Additional authentication failed - User account disabled.

Alert  Possibly to alert helpdesk



Password authentication succeeded - Client does not support required additional authentication methods - Access denied.

Alert  Possibly to alert helpdesk



Unsuccessful password authentication – Access denied.

Repeated failures should be alerted upon



Password authentication succeeded - User prohibited by policy settings - Access denied.

Repeated failures should be alerted upon



Password authentication succeeded - Access prohibited by conditional policy settings - Access denied.

Repeated failures should be alerted upon



RSA MFA Agent for Microsoft Windows configuration not approved.

Alert  Possibly to alert helpdesk



RSA MFA Agent for Microsoft Windows unsuccessful configuration.

Alert  Possibly to alert helpdesk



SAML IdP - Error response sent.

If Authentication Details includes "Message was rejected due to issue instant expiration" or "Message was rejected because was issued in the future," then there might be a time-synchronization issue between the service provider and the Cloud Authentication Service. If you see this message during an additional authentication flow for an SSO Agent application, check the time on the identity router.




RADIUS - LDAP authentication succeeded - Policy contains no RADIUS-compatible methods for additional authentication - Access denied.




RADIUS - Cloud Authentication Service unreachable - Access denied.

Repeated failures - alert – Cloud service down?



RADIUS – Authentication failed.

Repeated failures should be alerted upon



Access denied – User not a member of any identity source in access policy.

Repeated failures should be alerted upon



Access denied – User does not match any rule sets or matches a deny rule set in access policy.

Repeated failures should be alerted upon



Access denied – Policy authentication conditions deny access.

Repeated failures should be alerted upon



SMS Tokencode message transmission attempt failed - Invalid phone number.

Alert  Possibly to alert helpdesk



Voice Tokencode call attempt failed - Invalid phone number.

Alert  Possibly to alert helpdesk



SMS Tokencode authentication method locked – User exceeded maximum tokencodes allowed.

Alert  Possibly to alert helpdesk



Voice Tokencode authentication method locked - User exceeded maximum tokencodes allowed.

Alert  Possibly to alert helpdesk



Evaluated identity confidence. See Condition Attributes for Access Policies - Reporting a User's Identity Confidence Score for details.

SEE BELOW. When the “Confidence” attribute is greater than the “Confidence Threshold” the risk is low, therefore do nothing. When the “Confidence” attribute is lower than the “Confidence Threshold” the risk is high and therefore alert.



Emergency Tokencode locked - User previously exceeded maximum attempts.

Alert  Possibly to alert helpdesk



Emergency Tokencode now locked.

Alert  Possibly to alert helpdesk




Evaluated Identity Confidence Event (Risk Engine)


As you can see from the log sample below, the parser must be configured to conditionally evaluate the value of the confidence attribute against the confidenceThreshold value. If confidence is lower than confidenceThreshold the risk is considered high and therefore an alert should be generated containing the named user identifier.



 Identity Router Events

Please consult the full list of events emanating from the Identity Router here:


User Audit Events


Suggested Action

User Audit Events contain no security or health events



Web Services Audit Events


Suggested Action

Web Service Audit Events contain no security or health events



System Audit Events


Suggested Action


An error occurred on the identity router.



The identity router rebooted.




IDR Status Events


Suggested Action

RSA recommends that all IDR system health events be monitored.

Consult the full list of events here, under the “Identity Router Status Events” table:



RADIUS Audit Events


Suggested Action


A user attempted RADIUS authentication, but RADIUS or the user's device does not support any of the authentication methods allowed by the access policy.

Alert – triage to IT or helpdesk


A user attempted RADIUS authentication using a method that requires a mobile device, but no device is registered for the user.

Alert – possibly helpdesk


The RADIUS service encountered an error.




The RSA SecurID Access team is excited to provide the following updates as part of the May, 2020 release.  


Emergency Access now available for FIDO protected resources 

Emergency access greatly enhances productivity by unblocking access to business critical resources when a user may have lost, misplaced or forgot their authentication device.  Emergency access codes may be used for a fixed period of time as determined by the issuing help desk administrator.

Many organizations are providing passwordless experience to their users to access SaaS/Web applications using FIDO2 as a primary authentication method.  In the May release, users who are using FIDO2 when configured for primary authentication, lose or misplace their security key, can obtain an Emergency Access Code (EAC) as authenticator to gain access to their critical resources protected by FIDO with no loss in productivity.  And they can logon to the RSA My Page Self Service Portal with their EAC to begin the process begin the process of enrolling to obtain a replacement FIDO Security Key.


Improved Security for Administrators Who Require Resetting Their Password

The password reset process for all administrators has been made more secure.  For existing administrators, to securely reset any Cloud Administration Console password, the password reset must be completed within two hours of requesting the password reset link. 


See the May Release Notes which provides complete details on these new capabilities and other miscellaneous updates coming out in the May 2020 release. 

As we all are going through some level of adaptation to the new normal the one thing that hasn’t changed is our continued commitment in rolling out capabilities to our RSA SecurID Access customers. We are excited to provide the following updates as part of the April 2020 release.  


Threat Aware Authentication (TAA) v2 - Improved flexibility to support different customer deployments

Our TAA v1 release (last year) supported limited deployment scenarios. The risky users were identified and exchanged based on email addresses. Customers wanted to have more flexibility in identifying and sharing of the user list.  We saw this customer enthusiasm and commitment in making TAA capability better.  


We have updated TAA (v2) to provide that flexibility in identifying risky users between RSA NetWitness and RSA SecurID Access. Now the identities within the risky user list can be in any prior agreed upon format between the two products.


RSA SecurID Access can identify the users using Primary Username or an Alternate. These attributes can be mapped to any underlying LDAP/AD attribute (e: samAccountName, userPrincipalName, UID etc). RSA NetWitness administrators can now configure which piece of meta-data they want to use to build and exchange the risky user list.


Extend the use of conditional access policy attributes to Enterprise Edition licensed customers

Many of our customers are already using the policy engine to make smart access decisions in protecting a variety of applications. We want to enable more customers in using our policy engine – the true power behind implementing security controls based on your organizational policies. The conditional access attributes used in defining policies helps in harnessing the power of that policy engine.


We are thrilled to announce that our Enterprise Edition licensed customers can start using those conditional access attributes NOW!  Those customers can enable policies to provide user access based on dynamic context driven attributes such as countries, trusted locations, trusted networks.  


Our premium edition customers are already unleashing the power of these conditional access policy attributes in their access decisions. 


Our goal is to enable everyone to make access decisions smarter!!


Enabling our customers to address their privacy concerns

Ability to turn off location collection

Some customers promote preserving user privacy as part of their organizational policy or to comply with regulations. We understand such policies and would like to support our customers in their privacy initiatives.  One such privacy related topics is around collecting user location.


Beginning in April release we are providing our customer administrators ability to fully control data collection for location. Enabling or disabling location collection is now within the power of customer administrators through the administration console. Those administrators can choose to turn off location collection for specific policy attributes such as trusted locations, country and Identity Confidence.


Providing visibility into device capabilities used in mobile apps

Some customers would like to have better visibility into how their end-user mobile device capabilities (eg. Camera, Wi-fi connections) are being used by RSA SecurID Software token and RSA SecurID Access Authenticate App. In April release we have enabled our customers with documentation highlighting details on

  1. The type of permissions required from those mobile devices
  2. Why we need those permissions and is it mandatory or optional


The primary goal is to educate our customers and their end-users with the right level of information so that any fear, uncertainty and doubt can be addressed when using the mobile apps


We continue to churn cool new capabilities every month. The April release notes provides complete details on other miscellaneous updates coming out in the April 2020 release. 

As depicted in the 2019 movie Ford v Ferrari, the sports car race 24 Hours of Le Mans is an endurance race that tests the durability of equipment and the will and stamina of participants. For many corporate IT teams, dealing with the sudden, almost overnight transition to an all remote workforce has been an endurance race with similar tests.


And in the frenzy of needing to rapidly ramp up remote access to an entire organization and the rush to get authenticators into people’s hands to win the initial leg of the race, the obvious fact that there will be downstream impacts to the stability and performance of your authentication system can easily be overlooked. After all, RSA Authentication Manager is a workhorse that often masks smaller upticks without a hitch.


However, as your remote user population explodes, peak authentication rates go through the roof, and associated administrative activities (exacerbated by “newbies” to multifactor authentication) ascend to all-time highs, it is possible for performance slowdowns -- and blinding panic -- to set in.


Your RSA SecurID solution, normally a rock of IT stability, is going sideways...  “The RSA is broken”...  What is happening?!?!?


Don't worry. Everything is going be alright after making the necessary adjustments.


It is important that you take a systematic approach to reviewing your RSA environment and evaluating key areas for “redlining” conditions that ultimately result in a poor user experience of one sort or another. These key areas include both underlying system resources as well as RSA configuration parameters.


Extensive RSA performance tuning guidance is available through documents posted under the “Optimize & Tune” section of the new RSA Remote Workforce Resource Center.


Over its 30+ year history, RSA SecurID Access has established itself as a proven winner, capable of standing up to the biggest challenges...  even while running at high RPMs.

With governments worldwide implementing various travel restrictions and guidelines for its citizens lately, organizations and their employees are learning to live with the New Normal: essential businesses, social distancing, remote learning, and work from home.


Organizations today are also learning to deal with the realities of operating in this new environment.


The Home Office is now The Office for employees

The Internet is now The Corporate Network for admins

The New Normal is now Business As Usual for Lines Of Businesses (LOBs)


LOBs have highlighted an urgent need for employees to conveniently and securely access critical resources from The Home Office, over The Internet, during The New Normal; as they develop business resiliency while simultaneously enabling a large remote workforce. In some cases, employees may require accessing these work resources from just about any machine that is made available to them at any given point in time.


Let us take a look at what is new with RSA SecurID Access in 2020 that organizations can use to achieve these goals. 


FIDO Authentication


Enterprise interest in FIDO as a secure and convenient authentication method for employees to utilize anywhere on any machine is increasingly growing; recognizing that it can provide a means to achieve this goal with devices that are portable and easy-to-use. As organizations begin incorporating FIDO as part of their Identity and Access Management (IAM) strategy, they turn to us as their premier Identity and Access Management (IAM) solution provider to offer not just any FIDO authentication solution, but an Enterprise Grade FIDO authentication solution. Below are some examples of how we do it better:


  • Certification of the RSA SecurID Access Cloud Authentication Service (CAS) as a FIDO2 Certified Server - January 2020
  • Verification of the integrity and authenticity of FIDO-certified security keys listed with the FIDO Alliance Metadata Service (MDS) - January 2020
  • Support for Windows Hello enabled devices and compatible Android phones as FIDO authenticators - February 2020
  • The release of the YubiKey for RSA SecurID Access - a hardware based FIDO authentication solution that provides superior defense against phishing, eliminates account takeovers, and reduces IT costs - March 2020
  • The release of RSA Security Key Utility, a Windows utility that can be deployed on users' WIndows machines to manage user verification for any FIDO2-certified security key - March 2020



RSA SecurID Authenticate Mobile App


Aside from the FIDO enhancements above, we have also continued to strengthen the security of our RSA SecurID Authenticate mobile app. With our app being installed on employee owned Bring-Your-Own-Devices (BYOD), IT admins are always concerned with the security and integrity of the underlying devices used to run the Authenticate app. With this in mind, some enhancements made to the Authenticate app to alleviate these concerns. These enhancements include:


  • Jailbreak Detection for the RSA SecurID Authenticate 3.2 for iOS - January 2020
  • Enhanced compliance checks for the RSA SecurID Authenticate 3.3 for Android. This ensures that the device is not rooted before allowing use of the app - March 2020


Our customers have relied on the RSA Authentication Manager (AM) server to reliably protect their mission critical infrastructure with RSA SecurID Tokens for many years. One notable enhancement made as part of Patch 9 in January 2020 is to allow users to authenticate to applications using biometrics available on their devices, such as Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. This feature is available if customers use the Security Console wizard to connect the AM to CAS. For instructions, see Connect RSA Authentication Manager to the Cloud Authentication Service.  


Easier Setup and Management


To make it easy for our CAS admins to setup and manage users, the following enhancements have been implemented:





Lastly, as a reminder to our customers using CAS, the IP addresses for CAS and the Cloud Administration Console will be changing soon. We recommend that customers make any necessary firewall changes to allow identity routers and user browsers to connect to these new IP addresses. To prevent service disruption, customers' network must be able to connect to both the existing and new IP addresses according to the table below:


RegionNew IP Addresses






As organizations continue adapting to the needs of a dynamic and growing remote workforce, they expect vendors to offer solutions that can keep up with them. We hope our customers will take advantage of enhancements announced above to provide employees with a convenient and secure way to access critical resources from The Home Office, over The Internet, during The New Normal with an Enterprise Grade IAM solution.  

Regardless of where you live or which generation you belong to, there’s no denying the fact that the way in which we all work and interact has become more automated, more digital and more mobile, and digital transformation is only hastening this trend. Gone are the days of one-size-fits-all work spaces.

Part of business’ digital transformation initiatives is to empower their dynamic workforce to work remotely from anywhere.  Not only this allows flexibility to the workforce but also increases productivity for the business.  Additionally, empowering the dynamic workforce to work remotely, allows the business to mitigate any challenges that would come in the way for the workforce to physically come into a facility


Given a number of circumstances, employees are expressing increased interest in working from home. Organizations must therefore find a way to securely extend the convenience of working remotely.


For over three decades, RSA SecurID® Access has been doing just that.  RSA SecurID Access, enables businesses to empower employees, part-time workers, partners and contractors to work remotely without compromising security or convenience. Embracing the security challenges of today, bring your own device, and mobile, RSA SecurID Access ensures that users have timely access to the applications they need—from any device, anywhere and ensures that users are who they say they are, with a modern, convenient user experience. 


The Business Continuity option (BCO) with RSA SecurID Access allows businesses to continue to move forward and operate in challenging times.  Business Continuity option provides a flexible method to expand the number of users in an organization without expanding their multi-factor authentication budget.  It offers peace of mind to businesses who are looking to temporarily increase their usage of RSA SecurID Access to accommodate the rapid increase of users working remotely.   There is no physical shipping of licenses or authenticators.  Authentication services including one-time-password (OTP) and short message service (SMS) come standard with the business continuity option.  With BCO, businesses can be assured that their employees are able to work remote and do so securely. 


RSA is in the business of offering peace of mind with its security solutions to help businesses move forward.  As we know it, life happens, and RSA is here to support our customers through it. 


To learn more about the Business Continuity option with RSA SecurID Access, review the attached datasheet and contact RSA at 800-995-5095 or by contacting RSA Customer Support.

Qualys Security scan of RSA Authentication Manager version 8.x servers will find several issues with the RADIUS Ports 1812 & 1813 TCP/UDP including following:

 - QID 11827 - RADIUS Port 1812 TCP/UDP HTTP Security Header Not Detected (HSTS)

 - QID 86763 - RADIUS Port 1812 - "WWW-Authenticate: Basic realm=" header field response using Readable Clear Text

 - QID 86476 - RADIUS Port 1813 - Unable to complete testing since the Web server stopped responding.

 - CWE-693: - Protection Mechanism Failure (



The fact that you get a response back from is of no value to a hacker because nothing else can be done, there is no method to even authenticate against this port.  The response on https is a 401, forbidden.


RSA Engineering Response: The flaw exists but is not exploitable (in a properly configured AM system environment). Port 1812/tcp is not accessed by users or administrators, nor do they have the credentials. It is used internally for RADIUS administration and replication between Authentication Manager servers.


You can demonstrate that this is not exploitable with a browser.  Test connections to the RSA Authentication Manager 8.x primary/replica(s) on both 1812 and 1813, with both http and https using a browser, in order to demonstrate no new risks. Newer browser versions or those with strict security settings might prevent these connections, so you may need to find an older version of a browser to run these tests, or possibly modify your browser security settings to allow these old connections.

    URL: http://:1812

    Result: Console Not Supported

console not supported

    URL: http://:1813



    URL: https://:1812

    Result: 401 forbidden


    URL: https://:1813

    Result: Prompts for Sign In RADIUS credentials



Optionally you can obtain RADIUS administrative account credentials from the encrypted Authentication Manager internal database using the rsautil command with Operations Console Credentials. To obtain the RADIUS username and password, follow the steps below:

 1. Launch an SSH client, such as PuTTY.

 2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

login as: rsaadmin

Using keyboard-interactive authentication.


Last login: Wed Jul 24 14:09:47 2019 from jumphost.vcloud.local

RSA Authentication Manager Installation Directory: /opt/rsa/am

rsaadmin@am82p:~> cd /opt/rsa/am/utils

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.radius.os.admin.username

Please enter OC Administrator username:

Please enter OC Administrator password:

    com.rsa.radius.os.admin.username: Radius_user_nsuo8rll

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.radius.os.admin.password

Please enter OC Administrator username:

Please enter OC Administrator password:

    com.rsa.radius.os.admin.password: qnWD0fvC0ASuYxYxHqLNJIggOz5enZ


Once you have the RADIUS_user name and com.rsa.radius.os.admin.password, paste them into the text boxes, as shown:


Then you can successfully authenticate to the RADIUS console and further demonstrate no new risks are evident. But even with these credentials, you gain access to a list of RADIUS commands, but cannot see anything 'new',


When trying to access any of the commands listed you will get a variation of one of the following messages; not permitted, no style sheet for already known information like the RSA Username, or output from the local PC to a .nada file.

not allowed

No style sheet


Output from the local PC to a .nada file


RADIUS TCP port 1813 - The communication to these ports is internal. The Authentication Manager servers will connect to these ports for administration, and other SBR servers will connect for replication. There is also a connection for the initial replication during quick-setup. There are no other system or users which should connect to these ports and they can be blocked by firewalls. Port 1813/TCP as well as port 1812/TCP) should never be exposed to a public facing network. CVE-2013-2566 - The flaw exists but is not exploitable. To exploit this issue, tens of millions of packets must be captured (where all packets have the same plaintext, sensitive data in the same location). The traffic on these ports (for administration and replication) is relatively infrequent, often requiring admin intervention to start the connection and transfer. If there is more data, then more packets will be transferred with the manual operation, but the data in the packets will vary making the exploit impossible. The problem was identified with the RSA RADIUS server?s port 1813/TCP. This is an internal port for RSA RADIUS and is NOT the standard RADIUS port 1813/UDP which is used for RADIUS accounting. Also note that Juniper and RSA document that these internal ports (port 1813/TCP as well as port 1812/TCP) should never be exposed to a public facing network. CVE-2015-2808 - RC4 algorithm vulnerability, in RSA Authentication Manager 8.1 : Not Exploitable The flaw exists but is not exploitable. If a browser which requires the RC4 cipher is used for connection to the authentication manager consoles, then authentication manager is currently capable of negotiating the connection with RC4. However, the vulnerability cannot be exploited because it’s impact is greatest in the first bytes encrypted with RC4 and diminishes, with the vulnerability disappearing after 100 encrypted bytes, if not sooner. The data passed between browsers and the authentication manager does not include any sensitive data in the first 100 bytes of RC4 encrypted data. CVE-2016-2183 - Sweet32, “There is only a vulnerability if customers connect to this port. If they do not connect then an attacker cannot act as a man-in-the-middle to "poodle" the connection. Https://:1813 does not allow real access


RSA SecurID Access supports using FIDO-certified security keys as an authentication optionRSA SecurID Access supports FIDO2 and U2F compliant security keys.


RSA SecurID Access supports security keys for both primary (the passwordless user experience) and additional authentication (additional or step-up authentication). FIDO2 security keys can be used for primary authentication and additional authentication . U2F security keys can be used for additional authentication. Primary authentication is only supported for service providers (SAML applications). See FIDO Token.


Perform these steps to start using security keys with RSA SecurID Access. These steps assume that you have an existing RSA SecurID Access Cloud Authentication Service deployment.


  1. Set up FIDO Token as an authentication method on the Cloud Administration Console. 
    1. Confirm that FIDO Token is in the assurance level that you want. See Configure Assurance Levels.
    2. Confirm that you have an access policy that uses that assurance level. See Add an Access Policy.
    3. Determine if you want to use FIDO Token for primary authentication or additional authentication, or both. If you want to use FIDO for primary authentication, add a service provider and specify FIDO as the primary authentication method. See Add a Service Provider
    4. Update the My Page settings, so that FIDO Token registration is required through My Page. See Manage RSA SecurID Access My Page.
    5. Review the system requirements for FIDO Token. See FIDO Token Requirements.
  2. Register your security key in My Page. If FIDO registration is not enabled through My Page, FIDO Token can be registered during additional authentication using in-line registration process. See different ways you can Restrict Access to My Page.
  3. Authenticate to your service provider to see it work. See Passwordless experience using FIDO2 Token for more details and demo.
  4. Confirm your test authentication in the User Event Monitor. See Monitor User Events in the Cloud Administration Console.

Passwords suck

No one likes passwords, and they are the weakest link in the security chain. End users have way too many passwords to manage and they are impossible to remember— especially when you are required to change them every few weeks. 80% of breaches still involve compromised and weak credentials1. Passwords are expensive for administrators and help desk, as difficult passwords get forgotten frequently and results in higher administrative and help desk costs. In 2018, security breaches costed companies an average of $3.86 million per breach². For CISOs, they are the leading cause of breach-related nightmares. End users and administrators can easily fall into the trap of phishing attacks, resulting in access to systems or database breaches and exposing critical customer and organizational information to adversaries.


Passwordless is not new to RSA

Do you know that RSA has been providing passwordless experience to our customers? Yes, for last 35 years our customers have been using RSA SecurID Tokens for securing their VPN, firewall, Unix servers and much more without requiring passwords -- a passwordless experience. Building on this, now end users can also use FIDO2 authenticators for passwordless authentication experience when accessing Web/SaaS applications (acting as SAML Service Provider) and using RSA Cloud Authentication Service as Identity Provider (IdP).


FIDO as a strong authentication method

For starters, the FIDO protocol, part of FIDO Alliance, uses standard asymmetric cryptographic techniques to provide stronger authentication which offers a much better phishing resistant alternative to passwords. During the FIDO device registration process, a user’s device creates a public/private key pair and registers its public key with the online FIDO service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge sent by the service. In FIDO2, the client’s private key can be used only after the user unlocks the FIDO device using secure action such as PIN or Bio-metrics. Many of the Hardware FIDO2 authenticator vendors offer tokens that can be setup to use PIN or have a built-in fingerprint reader on the device to secure the private key. Many of the Software FIDO2 Authenticators built into platforms (e.g. Google’s Android 7+ mobile platform or Microsoft Windows 10 1903 patch) can also secure the token using Face Id (or other methods) for user verification, if supported by the device they are running on.


If you are wondering how FIDO2 is considered a strong authenticator and a better phishing resistant alternative, reason is that it supports MFA by providing two of the three authentication factors required to meet NIST 800-63-3 AAL2 security requirements – Know something (PIN) OR Are something (Biometrics) AND Have something (asymmetric cryptography based FIDO2 Token).


FIDO Token enrollment and self-service at scale

While FIDO2 protocol requires need for user verification and uses asymmetric cryptography for strong authentication, it does not talk much about life cycle management of the FIDO token itself from end user’s point of view and leaves it to the security vendors offering FIDO2 as an authentication service. RSA strongly believes that using FIDO at scale within the enterprise requires far more than just adopting a new authentication protocol. Managing the entire lifecycle of FIDO tokens at scale plays an important role in the success of its adoption within an enterprise. As an example, it requires making the enrollment process of these devices convenient by offering secure self-service capabilities at scale and also support device replacement in case current device is lost. These are some of the key FIDO token life cycle management aspects which cannot be ignored and need to be taken care at scale within an enterprise.


RSA SecurID Access and FIDO Support

RSA is a board member of the FIDO Alliance and has been driving the enterprise security workstream. RSA SecurID Access has been supporting FIDO devices for many years as an additional authentication method, and now we are extending that support to use FIDO2 authenticators as a primary authentication (2FA/MFA) method replacing password to access SaaS or Web Applications (service providers).


 As part of RSA SecurID Access, both FIDO and FIDO2 devices can be managed using the enterprise grade RSA self-service portal My Page. In case users lose their FIDO devices, they can go to My Page and delete the existing device and register a new FIDO device. If these FIDO authenticators are used as step-up authentication, they can also be registered in-line during step-up authentication flow itself.

Let us discuss below the end-user experience of using FIDO2 Token to securely access SaaS/Web applications followed by administrative workflow of managing the FIDO2 authenticator using RSA SecurID Access.


End-User experience using FIDO2 Token

Enterprises are looking to provide friction less user experience to their modern work force who needs to access business applications from anywhere and anytime. Passwords being prone to phishing attacks and hard to manage, customers can now offer FIDO2 Tokens to their end users to gain access to business-critical applications. Now users accessing SaaS Business Applications like (Salesforce) can use FIDO2 Token to securely authenticate and get access these applications without requiring password.


Click on this demo to see how RSA SecurID Access allows a user (a sales person in this example) to use FIDO2 Token to authenticate their identity and get access to their Salesforce account after validation.


Demo 1: Passwordless Authentication using FIDO2 Token


Understand the steps involved in authenticating using FIDO2 Token

Let us briefly talk about the authentication flow using FIDO2 Token shown in the demo. In this use case Administrator has configured a service provider (e.g. Salesforce) to require FIDO2 Token for passwordless authentication and end-user already has a registered a FIDO2 Token to use.



  1. User tries to access Salesforce (SP) and chooses RSA SecurID Access as an Identity Provider (IdP) to authenticate. User is redirected to IdP (CAS). SP and IdP are communicating over SAML.
  2. User enters their email address and CAS checks the access policy for this user and finds that FIDO2 Token is required as primary authentication method.
  3. CAS challenges the user to authenticate using FIDO2 Token. User presents FIDO2 Token to authenticate and uses PIN or Biometric for user verification. Note that this is a passwordless authentication flow.
  4. CAS (FIDO Servers) authenticates the user and communicates to SP using SAML about the successful auth.
  5. SP (Salesforce) allows user to access their account after successful authentication.


End-User experience enrolling FIDO token at scale

1. RSA SecurID Access self-service portal, My Page, to manage FIDO Token

Users can register their FIDO Tokens by using, self-service portal, My Page. This portal also allows users to manage their registered mobile devices along with FIDO tokens. Users can delete an existing mobile devices or FIDO Tokens and re-register new ones in case they lose their current devices using this self-service portal.


Demo 2: Registering FIDO Token using My Page



2. In-line registration of FIDO Token as part of Authentication work flow

In the case where FIDO authenticators are used for additional authentication (not the primary or first factor), new tokens can be registered during the authentication work flow itself. This is not allowed if the FIDO2 token is used for primary authentication. The user must first register it using My Page, as mentioned above.


Admin experience enabling FIDO2 Token Authentication for Service Providers

First, an administrator configures a service provider (SaaS or Web application like Salesforce) in the Cloud Administration console and chooses the authentication option RSA SecurID Access manages all authentication and FIDO Token as primary authentication.  



With the above steps, an administrator is configuring the service provider to require FIDO Token for primary authentication, without requiring any password. As mentioned earlier, this  has to be a FIDO2 Token as it supports user verification. Optionally, an admin can configure additional authentication methods for higher security, if needed. Also, policy-driven conditional attributes and identity assurance in RSA SecurID Access can be added as part of further securing access to service providers.


Admin experience setting up self-service portal, My Page

Administrators, through the Cloud Administration Console, can control if users are allowed to manage their mobile devices or FIDO tokens using My Page. This is where they enable self-service portal for users and manage their mobile devices and FIDO Tokens. Administrators can achieve a higher assurance level by creating a custom access policy using MFA so that users can securely access My page. Optionally, conditional attributes and identity assurance can be added as part of securing My Page for FIDO Token registration


In case My Page is enabled for users to manager FIDO Tokens, inline registration will be disabled automatically



FIDO2 is a great step forward, enabling passwordless access to business-critical resources and mitigating phishing attacks. RSA is proud to be leading this effort and helping our customers take passwordless journey for on-prem applications as well as SaaS applications and enabling secure and convenient life cycle management of FIDO Tokens.


Verizon Data Breach Investigations Report (DBIR)

2018 Cost of Data Breach Study, Ponemon Institute Research Report

Filter Blog

By date: By tag: