Skip navigation
All Places > Products > RSA SecurID Access > Blog > 2019 > November

Today RSA announced it has completed an integration on Amazon Web Services (AWS) that will tie Session Tags with identity context through RSA SecurID Access.


This integration takes advantage of the benefits of Session Tags (more on this shortly) and the strengths of RSA SecurID Access, an industry-leading and award-winning multifactor authentication and identity assurance solution. RSA customers can now extend the value of key identity context that they already leverage within the product and further enhance the security of their AWS resources. Combined with the RSA SecurID Access flexible deployment (SaaS, cloud, on-premises, or hybrid), choice of authentication methods (mobile push notifications, one-time passwords, fingerprint/facial biometrics, SMS, voice recognition, FIDO and hardware and software tokens), and dynamic, risk-driven access policies – this integration simplifies intelligent identity access and assurance decisions.


For the uninitiated, Session Tags enable AWS users to categorize resources and associate them with critical business aspects, such as purpose, environment or owner. In a world of dynamic hybrid cloud environments and workload management, maintaining these connections can be complex or expose users of these systems to risk.


As noted, one of the primary parameters for categorization is owner, i.e., who is responsible for maintaining this resource. As our IT boundaries continue to break down, the ability to leverage identity as the basis of ensuring data and resource confidentiality, integrity and availability becomes a critical link in enabling secure cloud strategy.


Typically, the only information IAM or security teams have about a user when authenticating to AWS is their username. This piece of information alone is insufficient for an organization to truly understand what that user should have access to. How would a downstream system (in this case, AWS) evaluate the login event and determine whether access to an environment should be allowed? Additional user context added by RSA SecurID Access as Session Tags can help address this gap.


Additional context (tags) that RSA SecurID Access could also provide beyond user ID could include: displayName, emailAddress, title, organization, department, manager, and officeLocation.  Given this additional context, appropriate permissions could be applied to session. A customer can create many more of these tags using RSA SecurID Access.


All of this additional context could be passed in the form of Session Tags and then appropriate permissions applied based on a user’s department, manager, or some other attributes. This attribute-based access control (ABAC) mechanism enables intelligent decisions to be made downstream by either a human or a machine to support decisions based on business context, i.e. permissions rules in AWS IAM.


As part of our growing collaboration with AWS, we’re excited about this integration as another step in advancing customers’ ability to manage new digital risks as they transform IT through opportunities such as cloud computing.


Current RSA SecurID customers interested in leveraging this new integration can learn more here.

  • Password-less authentication experience for users accessing SaaS/web applications using FIDO2 Token as primary authentication method

RSA SecurID Access has provided password-less experience to its customers for the last 35 years by offering strong authentication using RSA SecurID Tokens for use cases with VPN, firewall, Unix servers, and more. Building on this, now end users can also use FIDO2 authenticators for password-less authentication experience (in addition to RSA SecurID Token) when accessing Web/SaaS applications, which are acting as SAML Service Provider (SP) and using Cloud Authentication Service as Identity Provider (IdP). The FIDO2 authenticators can be securely enrolled using RSA SecurID Access self-service portal, My Page or using in-line registration process when used for additional authentication. Policy-driven authentication can leverage location or IP address based conditional attributes along with machine learning driven identity assurance for improved security.  


  • Ensure uninterrupted user access to SaaS/Web apps with new cloud-native emergency access 

Organizations now have two options for emergency access. For Cloud Authentication Service and RSA Authentication Manager deployments, Authentication Manager provides a universal option for emergency access.  Cloud-only deployments now have native emergency access capabilities that can be enabled for end users accessing SaaS or Web applications.  End users who have lost or misplaced their authentication devices can contact the Help Desk, and the help desk administrator can provide emergency access codes that can be used for a specific time period by this useraddi.  Emergency access can be configured as an available authentication method and can be enabled for users even if the RSA SecurID Authenticate app isn't enrolled. This allows greater flexibility, especially in the case where user forgets their FIDO authenticator, which is used for additional authentication.


  • Improved productivity and security for Windows sign-in experience with new release of RSA MFA Agent 1.2 for Microsoft Windows


RSA MFA Agent 1.2 for Microsoft Windows leverages the RSA SecurID Access Cloud Authentication Services to provide strong multifactor authentication to users signing into Windows machines, both online and offline. This MFA Agent now provides more authentication choices for users, along with features that improve user productivity and security during Windows sign-in. End users can also have uninterrupted access to their Windows machine in case they have temporarily forgotten or misplaced their MFA authenticators (for example, an RSA SecurID Authenticate device or an RSA SecurID hardware token). For more information, see


  • Corporate re-branding using company logo for the end-user authentication experience

Organizations want to provide a consistent branding experience for their end users during the Cloud Authentication Service additional authentication. Now organizations can display their company logo during the additional authentication flow. Administrators add this logo in the Cloud Administration Console.


  • Improved SaaS resiliency and availability

A critical component of the Cloud Authentication Service internal messaging infrastructure, responsible for all communication between components, has been replaced. A more reliable secure connector cloud REST implementation has been implemented and will solidify performance and reliability.


  • One employee, one Authenticate app for all accounts

To help improve security, IT admins typically separate administrator and user accounts for the same employee. This is widely regarded as a security best practice because it adds another hurdle for an attacker trying to gain a foothold into the IT infrastructure. However, this meant that these same employees must have separate registered devices running the RSA SecurID Authenticate app per account. Now, with the release of the RSA SecurID Authenticate 3.1 for Android and iOS and a corresponding upcoming release for Windows, these users will no longer need to have separate devices. Users can now conveniently register all their accounts within the same registered app by adding them as they would normally do.


  • Share identity risk context with third-party party SIEM platform providers for better threat analysis 

Security operations center (SOC) analysts prefer to have as much identity context as possible during threat analysis to get a 360° view of the incident. RSA SecurID Access can now share such identity context in a more granular way to any SIEM platform. Specifically, customers can now get overall identity confidence scores along with the categories (device, behavior, and location) that influenced or contributed to the overall score. The risk or confidence score are now exposed securely through the Cloud Administration User Event Log API. Through the API, customers can now export user risk information to any Security Information and Event Management (SIEM) platform for further analysis.  This will enable SOC analysts to have better identity context in building Indicators of Compromise (IoCs) and preventing identity specific attacks.


RSA continues to strengthen its RSA SecurID Access Cloud Authentication Service with the September and October product release.  For further details on all the new and updated capabilities of the this release, please refer to the Release Notes.

Filter Blog

By date: By tag: