RSA SecurID Access supports using FIDO-certified security keys as an authentication option. RSA SecurID Access supports FIDO2 and U2F compliant security keys.
RSA SecurID Access supports security keys for both primary (the passwordless user experience) and additional authentication (additional or step-up authentication). FIDO2 security keys can be used for primary authentication and additional authentication . U2F security keys can be used for additional authentication. Primary authentication is only supported for service providers (SAML applications). See FIDO Token.
Perform these steps to start using security keys with RSA SecurID Access. These steps assume that you have an existing RSA SecurID Access Cloud Authentication Service deployment.
- Set up FIDO Token as an authentication method on the Cloud Administration Console.
- Confirm that FIDO Token is in the assurance level that you want. See Configure Assurance Levels.
- Confirm that you have an access policy that uses that assurance level. See Add an Access Policy.
- Determine if you want to use FIDO Token for primary authentication or additional authentication, or both. If you want to use FIDO for primary authentication, add a service provider and specify FIDO as the primary authentication method. See Add a Service Provider.
- Update the My Page settings, so that FIDO Token registration is required through My Page. See Manage RSA SecurID Access My Page.
- Review the system requirements for FIDO Token. See FIDO Token Requirements.
- Register your security key in My Page. If FIDO registration is not enabled through My Page, FIDO Token can be registered during additional authentication using in-line registration process. See different ways you can Restrict Access to My Page.
- Authenticate to your service provider to see it work. See Passwordless experience using FIDO2 Token for more details and demo.
- Confirm your test authentication in the User Event Monitor. See Monitor User Events in the Cloud Administration Console.