Skip navigation
All Places > Products > RSA SecurID Access > Blog > 2020 > June

As we all are transitioning to embrace the new normal and support the remote workforce, there is an unprecedented need to keep the endpoints secure without compromising convenience. It is critical that we take steps to enable the dynamic workforce to access resources by providing a frictionless and seamless experience. We are excited to provide updates as part of June, 2020 Release that perfectly align with this objective.



RSA® MFA Agent for macOS® 


Endpoint security is a major concern for CSO and IT managers. Given the pandemic situation, there is a significant increase in the number of end-user devices (especially through laptops and desktops) trying to access the corporate network remotely, along with a corresponding increase in the number of hackers trying to compromise. With RSA® MFA Agent for macOS®, organizations can protect and ensure secure logins to the macOS® laptops and workstations. RSA® MFA Agent for macOS® works with RSA SecurID Access Cloud Authentication Service to require users to provide additional authentication to sign into macOS® consoles, whether they are online or offline. 


Today’s enterprises understand and acknowledge the need to manage identities in a dynamic fashion given their dynamic environment and dynamic workforce. Although strong authentication is top of mind, convenience and user experience are no longer a secondary priority. Defying the “more-is-more" approach, customers and users want to manage minimum set of authenticators for an efficient and seamless experience across use cases.  


Above statement being our preamble of the RSA® MFA Agent for macOS®,  authentication options available to end-users are  Push to Approve, RSA SecurID Authenticate Tokencode and RSA SecurID Tokens when things are all fine.
The Agent falls back to Authenticate Tokencode when users are offline and offers Emergency Tokencode option when they have no access to authenticators. With RSA SecurID Access, users are always connected securely. 


By protecting the macOS machines not just during user logins but also during screen unlocks and with the no-fail-open design, RSA ensures there is no “slip through the cracks” situation even when the Agent is unreachable to the Cloud Authentication Service.


To know more and watch the the MFA Agent in action, 

Cake for All! Secure & Convenient Login for The New Enterprise for macOS®  

Watch RSA® MFA Agent for macOS® In Action


View and Track License Usage Information  


Understanding the product usage is an important factor for planning and forecasting future license upgrades. Customers can view their current usage of MFA on RSA SecurID Access and Authenticators registered for the service. Administrators can access the following information to determine:

  • Number of users with Multi-factor authentication (MFA) licenses 
  • Number of users with third-party FIDO authenticators
  • Number of SMS/Voice Tokencodes consumed 


This data is refreshed automatically every hour to ensure that administrators have visibility to the most recent information.


Get More Out of Enterprise and Premium Editions of RSA SecurID Access with the Third Party FIDO Authenticators 


We all know how effective FIDO is when it comes to thwarting phishing and man-in-the-middle attacks. FIDO Alliance promotes and supports the stronger authentication standards that help reduce the over-reliance on the passwords. So is RSA!  


In December 2019, RSA partnered with Yubico® to address the needs of a dynamic workforce and provide modern and frictionless authentication experience with the FIDO authentication solution. With FIDO2 and RSA SecurID Access Authentication services, RSA customers enjoy the passwordless experience while accessing SaaS and web applications.  


Until recently, the customers had to purchase RSA SecurID MFA licenses to use FIDO/FIDO2 authenticators. With this change, we are removing the frictions for the enterprises to adopt and build stronger and more modern authentication strategies.  


FIDO Authentication Support  


While we are talking about extending the support for FIDO, why not talk about RSA SecurID Authentication API. RSA SecurID Authentication API, a REST-based programming interface that allows RSA customers and partners to leverage MFA capabilities for the custom-built applications.


In the June release, RSA SecurID Authentication API supports FIDO/FIDO2 as authentication method along with the existing MFA methods. To supplement FIDO as part of authentication, RSA SecurID Access supports managing the entire lifecycle too. RSA understands, for the organizations to begin using FIDO at scale, it requires more than just the authentication support for the protocol. At the initial login authentication attempt, users can enroll their FIDO authenticators or keys before using them as part of multi-factor authentication methods. By providing users with the ability to manage

the keys with self-service and in-line registration, RSA removes barriers for organizations and technology partners to adopt RSA SecurID Authentication support for FIDO.  



To learn about additional updates coming out in June 2020, see June Release Notes. 


Organizations today are reeling from decisions made at the start of the “New Normal”. These decisions were made during a rapidly deteriorating situation happening on a global scale, all in response to continually evolving mandates issued by different levels of government. Action on these decisions was swift, of the business simultaneously, and fundamentally changed how the business functioned on a day-to-day basis.


The New Normal results in a widely distributed Remote Workforce.

The Remote Workforce that must use the internet to access Corporate Resources.

Corporate Resources are accessed from the home office using All Available Machines.

The Machines that keeps the lines of business running in The New Enterprise.


As the “New Normal” begins to stabilize, organizations are starting to understand the impact of these changes. One such need is the ability of the remote workforce to securely log in to machines running macOS® and use them to access corporate resources. Prior to this, organizations had little appetite to secure these machines because their numbers were relatively small and easy to track and manage.


Today, these machines are used by the remote workforce in all parts of the world. They are connected to the internet using a variety of consumer grade networking equipment and broadband service providers. More importantly, there are no guarantees of physical access security to these machines. New problems are revealed as the lines of business continue to allow the use of macOS machines by the remote workforce. Solving them will require a New Enterprise Grade solution that can meet the needs of both users and administrators in the "New Enterprise".


Users need Convenient Login to macOS any time whether Online or Offline with No Fail-Open.

Administrators need Secure Login to macOS anytime whether Boot-Up or Wake-Up.


Announcing the Launch of RSA MFA Agent 1.0 for macOS


Today, RSA® proudly launches RSA MFA Agent 1.0 for macOS; an important step for a New Enterprise Grade endpoint protection solution. This agent is the culmination of many years of experience from securing Windows® and Linux® machines belonging to organizations of all sizes and verticals. You will discover that this agent fulfills the needs of both users and administrators while they adapt to the "New Enterprise". Additionally, you can learn how we do this for Windows and Linux machines in the “Eat More Cake!” blog and the Pluggable Authentication Module (PAM) announcement.     


Convenient Login Whether Online or Offline with "No Fail-Open"


Users want a quick and easy way to log in to macOS. Many users do not want to carry different devices all the time just to log in. They do not want to figure out if their macOS machines are connected to the internet just to log in with the right device. All they want is to carry one device and use one app to log in to their machines.


RSA MFA Agent for macOS lets users log in using a choice of Approve, Authenticate Tokencode, Emergency Access or RSA SecurID® Token that is convenient anytime the machine is online. Gone are the days when users get limited access to the machine when offline with our deliberate use of a "No Fail-Open" design. The agent automatically protects the offline machine using one of the most secure options, Authenticate Tokencode. Users can conveniently log in to their machines with this when offline, just as they do when online.


Secure Login Whether Boot-Up or Wake-Up


Users typically log in to their macOS machines at the log in or lock screen. Of these two places, users most frequently log in at the lock screen, because the machine automatically locks itself when the user has not interacted with it for a while. Examples of this include users stepping away for a short break or when moving to a new meeting room and reopening the laptop lid to use it. The log in screen by comparison happens only when the machine is turned on or restarted.  


Any secure desktop protection solution that uses a Fail-Open design without protecting the lock screen really takes the cake! Not only can someone gain access to the machine by figuratively pulling the network cable, they can stay logged in with just the username and password. Requiring users to login with Authenticate Tokencode using our innovative "No Fail-Open" design, preventing login bypass, at both log in and lock screens, even when the machine has no connectivity, is how we do it better.


Ending on a Sweet Note


As we enter the "New Enterprise" era, organizations are reevaluating their Identity and Access Management (IAM) solutions in use more than ever. They will not accept so-called "Enterprise Grade" solutions that favor convenience or security at the expense of the other while operating in the "New Enterprise". They want to have their cake and eat it too. With RSA SecurID Access, organizations can get a convenient and secure solution that is balanced, but getting one that is New Enterprise Grade is just icing on the cake.



An organization or lines of business within organizations should consider having an integrated authentication strategy and framework. An authentication solution should aid in advancing that framework in meeting specific identity and security objectives. Such organizations looking at free Microsoft Azure AD MFA or RSA SecurID Access need to use these critical elements when building or supporting such authentication framework. 


Protect applications beyond Windows-based and browser-based

Most organizations will continue to manage a hybrid IT model with non-windows applications and infrastructure existing in both cloud and on-premise. These infrastructure systems like switches, routers, VPN’s, server systems (*nix) need privileged access by super-admins. IAM teams need to think about how to securely enable 2FA/MFA for those privileged admins and end-users with a native integration that doesn’t compromise user experience. RSA SecurID Access provides an agent-based approach that can protect remote access infrastructure such as VPN’s, Citrix access gateway Windows Remote desktop sessions, critical server environments including Linux systems.


Support non standard protocol applications through a combination of technology ecosystem and an extensible API model

For legacy applications that do not support standard protocols (eg. SAML, RADIUS, OIDC) organizations need to think about extending MFA capabilities using an API approach or pre-built integration with technology vendors.  RSA Ready program helps organizations have an out of the box certified integrations with 500+ applications through 100+ technology vendor partnership. RSA SecurID Access can enable MFA to non-browser or non-SAML based applications through native integration with network vendors such as Palo-Alto Networks or provide out of the box MFA integration with electronic medical records applications such as Epic systems. RSA SecurID Access helps organizations to extend their deployment to meet enterprise grade requirements by exposing API/SDK for any custom integration.


Support dynamic workforce with authentication choices and a simplified experience across the entire MFA lifecycle including user onboarding

Supporting a broad range of user types and providing clear paths for those users to self-register any MFA method consistently as part of on-boarding is critical. RSA SecurID Access on-boarding experience through out of the box capability or extensible REST APIs helps organizations to create simplified user experience while on-boarding users all backed by a powerful policy engine. Besides on-boarding, a framework needs to handle what/if scenarios such as credential recovery and emergency access. What if users need a break glass approach to gain access to applications or self-service capabilities when their phones are misplaced or forgotten. What if contractors need 1-time code to access systems without the overhead of distributing tokens or using mobile phones. RSA SecurID Access provides options to help handle emergency situations and variety of user types and scenarios.


As discussed above any security sensitive organization looking to advance their authentication framework should consider appropriate critical elements.  IAM practitioners within those organizations need to contemplate whether having a free solution advances or restricts those elements in supporting diverse workforce access applications across their hybrid IT environment. 

As each lines of business (LOB) within an organization procure their own authentication solution the overhead costs of managing such solutions needs to be evaluated.  Does this island of point solutions drive additional process challenges and more disconnected authentication framework for an IAM team? Below are key discussion points to ponder before going down the path of implementing multiple authentication solutions


Reproducing & managing integrations & automation with multiple authentication platforms may prove costly

Organizations invest in the automation and integration of an authentication platform with existing security tools such as an SIEM platform, governance tools for collecting, reporting and regularly auditing of access events.  RSA SecurID Access enables those organizations to automate the process or workflow during on-boarding of users, distribution of MFA credentials and sharing of data for auditing needs. Replicating these integrations and automation across security systems using a second authentication platform may add additional cost and resourcing challenges.


Reflect on process challenges when considering multiple authentication platforms

Often rolling out or upgrading an MFA infrastructure requires a common buy-in across desktops, mobile, infrastructure, remote access and security teams. This required interaction creates process friction and overhead within some organizations.  Hence using native integration & out of the box capabilities provided by an authentication platform is critical in reducing such friction for IAM team’s success. RSA SecurID Access has such native integration capabilities through agent-based model, out-of-the-box integration with infrastructure vendors (eg. VPN, firewalls, virtualization platforms) and support for both hardware and virtual appliances. IAM teams should reflect on such process challenges and associated friction when adding yet another authentication solution in their toolbox to solve point use-cases.


Reduce user education and training costs and improve productivity through a single authentication platform

Educating and training users with two different authentication experiences provided through different solutions is a challenge when those users require the broadest set of authentication options to access applications. IAM teams considering two different authentication solutions as part of their tool set should consider looking at possible overhead of staffing and technical training of help desk team members in supporting those solutions. RSA SecurID Access helps build consistent end-user experience across the broadest set of applications and widest authentication choices that reduces the overhead of training and educating end-users. In addition, the IAM teams can improve overall help desk costs by choosing a single vendor that provides consistent experience in supporting users across a hybrid environment. 


Managing multiple authentication platforms doesn't end with technical, people or process challenges for IAM teams. The invisible costs extends to vendor management challenges, security teams managing vulnerabilities and fixing those gaps across multiple point products, and more. As an IAM practitioner one needs to evaluate and reflect on holistic value achieved through using one versus multiple authentication platforms that meets an organization's broadest set of security and identity needs. 

The word free has multiple meanings according to the Merriam-Webster dictionary. Among them are “not restricted”, “not costing”, “relieved from something burdensome”. When a solution is free or bundled with Enterprise License Agreements (ELA) and is used as key decision driver towards purchasing or rolling out Multi-Factor Authentication (MFA) the hidden costs are overlooked leading to return on investment challenges. An Identity and Access Management (IAM) influencer or a decision maker thinking about free Microsoft Azure AD MFA need to consider the following three criteria and associated questions while making such decisions.


  1. A consolidated authentication framework to support diverse user population, variety of infrastructure & applications while mitigating identity specific attacks. Do organizations feel restricted or advancing in developing a consolidated authentication framework using a free solution?
  2. Overhead costs related to people & processes from supporting multiple vendors and managing multiple authentication platforms. Does having multiple authentication vendors cost organizations more?
  3. An authentication platform that helps IAM teams meet different regulatory requirements while supporting strong security policies. Do free solutions burden IAM teams more when trying to address MFA requirements as part meeting their regulatory needs (eg. PCI-DSS, DFARS, EPCS) ?


If the answer is a resounding yes to the above questions the next series of blogs will provide guide paths and recommendations on how to address those questions effectively. These recommendations should enable organizations & IAM teams make an informed decision when considering RSA SecurID Access or free Microsoft Azure AD MFA for their authentication needs.


Filter Blog

By date: By tag: