Lenore Tumey

Protecting RSA SecurID Authenticate app enrollment using a RSA My Page policy

Blog Post created by Lenore Tumey Employee on May 30, 2019

The powerful policy engine in RSA SecurID Access can be used to control access to “My Page,” just like you can control access to other protected resources/applications.  This allows you to configure additional protections beyond simple password-based authentication.  You might consider incorporating some or all of the following elements into your policy:

  • If you have an Active Directory group for users with existing RSA SecurID Tokens (hardware, software, or ODA), you could configure a ruleset to require those users to perform additional authentication  to access My Page, by specifying an assurance level that includes RSA SecurID Tokens.
  • You could add a contextual rule to your ruleset that uses IP Address and/or (with Premium license) Trusted Networks, Trusted Locations, and so on.  For example, you might allow users who are logging in from your corporate network or  company office locations to access My Page with just a password, while users logging in from any other locations would need to perform additional authentication to meet a specified level of assurance.
  • If you have your users’ phone numbers in Active Directory, you might want to consider adding the SMS or Voice tokencode authentication methods (licensed separately) to an Assurance Level, so users who don’t have a SecurID Token could receive an SMS or Voice tokencode and use it to access My Page and/or other resources, as appropriate.

For example, here is how you might use some of these suggestions protect access to My Page:

 

First, configure your assurance levels. Note that “SecurID Token” is part of the medium assurance level. That will be important in the next step when you configure your policy.

Now create your “My Page” policy. In this case you will create a ruleset for the subset of users that belong to an Active Directory group named “SecurIDUsers”.

Then select the settings shown below. These settings will allow these users to use their SecurID tokens to securely access My Page, where they may then enroll the RSA SecurID Authenticate application.

New users that do not have a SecurID token also need secure access to My Page. You could allow access to My Page with just a password for new users who are in a trusted location such as your corporate office, or who are logged into a trusted network, such as on your corporate network. You could also allow new users who are not in a trusted location and not in a trusted network to authenticate with SMS or Voice tokencode since they do not have a SecurID token.

 

To accomplish this, create an additional rule set that includes a conditional rule that allows password access to users in a trusted location or using a trusted network and that requires additional authentication for those users who do not meet one of those conditions. In this case you’ll assign a low assurance level to the rule to allow these users to authenticate with SMS or Voice tokencode.

 

When you’ve finished creating your new policy, go to Platform > My Page, select the policy you created, click Save, and then Publish changes before testing to ensure your configuration achieves your goals.

Outcomes