Skip navigation
All Places > Products > RSA SecurID Access > Blog > Author: Kenn Chong

RSA SecurID Access

3 Posts authored by: Kenn Chong Employee

Over a year ago, RSA proudly launched the RSA SecurID Access My Page user self-service portal. It is our cloud-hosted self-service portal designed to help users easily register and conveniently manage their own authentication devices without any help from the IT Help Desk. However, ease and convenience does not equate to reduction in security. Utilizing our experience implementing user self-service features, we want to make sure that users do not end up being the weakest link. That is the vision for My Page, a place where users can securely register and manage their own authentication devices. This makes for Happy Users, and Even Happier Administrators.

 

Continue reading to find out how this is done in the RSA SecurID Access August 2019 Cloud Authentication Service Release. 

 

Improvements and Additional Configuration Options for My Page

 

The goal of an application portal is to provide users with a centralized place to access the applications needed on a daily basis, while at the same time allowing admins to control which applications users can access. This boosts user productivity when using multiple applications daily and increases security by governing the use of corporate applications. 

 

Customers now have the flexibility to provide access to RSA SecurID Access My Page through third-party application portals of their choice including the RSA SecurID Access Application portal. This makes it even easier for users to find My Page when managing their own authentication devices.   

 

Additional My Page options are now available, such as setting the destination page users go to after signing out of My Page or when they encounter an error. This allows users to stay within the same corporate virtual environment after managing their devices and to easily get help when needed.

 

 

Improved Single Sign-On Option When Adding a Service Provider

 

One way to promote usability and ease of use is to ensure a consistent look and feel across applications deployed within the organization. This is especially important for basic tasks such as user authentication required before using each application because a user can potentially authenticate to as many as 10 different applications during a typical workday.  

 

Admins also have concerns with user credentials being submitted outside of the corporate network. This is due to the possibility of the user's traffic being intercepted or even key logging malware installed on remote machines. The concern is even greater with self-service registered device management features designed to allow users to do it anywhere and anytime.

 

To promote ease of use and increase security posture, customers can now use their own cloud identity provider as the primary authentication option for My Page. At the same time, admins can also be assured that all My Page user credentials are securely submitted for authentication. This is achieved by enabling the new SAML based IdP initiated option for My Page user authentication.

 

Now, users can easily authenticate to My Page with the same look and feel as other corporate apps they use daily. At the same time, credentials are securely submitted within a controlled trusted corporate network that is handled by a service external to RSA that  may very well be firewall-protected.

 

IT Help Desk Assisted Secure Device Registration

 

No matter how self-service a feature can be designed, some may still offer an admin assisted device registration option. Don't forget, registration issues may still happen and users still end up calling their IT Help Desk for further assistance. Since one of the goals of My Page is to help users register their own devices, only the user has access to information needed for device registration and not the admin. The user could screen-share their desktop with the admin during the help call; however, there should be an easier way to do this.

 

 

Admins can generate a code with a click of a button in the User Management section of the Cloud Administration Console. Admins can then provide this code to users over the phone. This can be used as part of an admin-assisted device registration process and even during registration troubleshooting because the generated one-time-use code is valid for a limited amount of time. 

 

Additional Deployment Option for RSA SecurID Authenticate for Windows

 

We are aware that some customers are restricting users from getting Windows Apps through the Microsoft Store. Instead, they prefer that these apps be distributed centrally similar to how it is traditionally done with other Windows apps in-use today. Admins can now use Deployment Image Servicing and Management (DISM) to deploy the app from a command-line tool. After the app is deployed, users can then complete RSA SecurID Authenticate device registration.  

 

For more information on these and other new features in the August 2019 RSA SecurID Access release, see the August 2019 Release Notes.

The Birth of Portable Computing

Computing in the modern world has changed drastically. Gone are the yesteryears when computers were big machines the size of your closet that is not very portable. Today, users demand portable computing whenever and wherever. In the Enterprise, efficiency is key. IT organizations are now open to provision more mobile devices such as smartphones, laptops and even tablets. This enables employees to be that much more productive on the go and ensures them reliable access to what they need; whenever, wherever.

 

Portable Computing Needs Untethered Security

IT organizations today recognize the need to secure these machines. However, what they fail to recognize is that these machines are often offline for many reasons. As an example, you need to login to your Windows laptop quickly because you are late for a very important customer call. However, your laptop is offline when you try to login; It is still trying to connect to the company network. Maybe, you are getting updated reports periodically about an urgent issue because you are mid-flight towards a remote data-center attempting to fix it. You want to be ready to go as soon as you land. However, your Windows tablet is offline because WiFi on-board is not freely available. Better yet, you need to login to your laptop quickly and email over a freshly signed Sales Order; all this to seal the deal before close of business. However, because you are onsite at that customer's office, your laptop is offline and has not connected to their Guest WiFi network at all.

 

These instances requires you to login first before establishing a network connection.You are effectively locked out of your machine if login while offline is not allowed. What then? Do we just create a backdoor Just-In-Case (a.k.a. Fail Open) login account? The answer cannot simply just be " No Network, No Secure Login Needed" for these whenever-wherever-machines.

 

Convenient & Seamless Windows Login Untethered, The RSA Way

Introducing, the All New RSA Multi-Factor Authentication (MFA) Agent for Microsoft Windows. This is our vision for users to securely and reliably login to Windows machines that is Convenient and Seamless whether Online or Offline. Anyone can claim that their product is reliable. This is because if something goes wrong, they can depend on users easily getting online and even stay online reliably while standing still.  These machines in the above examples are offline and  cannot connect to the authentication server to complete authentication. However, the user cannot get the machine back online unless they can login first. Good luck telling them to go to the nearest company office location just to login again.

 

This agent is designed from the ground up with the strength of the RSA Authentication Agent for Microsoft Windows (a.k.a Windows Agent); the convenience and secure modern authentication options of the RSA SecurID Access Cloud Authentication Service (CAS); all to secure Windows workstation and server logins.Not only is the ability for users to authenticate with different modern authentication methods that makes this agent unique; it is the ability for users to login Online or Offline, to their machines with the same authentication device and the same login experience. Imagine having to login multiple times a day and deciding which device to use for login all the time. You want convenient login and IT admins want secure login to your whenever-wherever-machines.

 

How RSA Does It... Better

The MFA Agent's Offline Authentication uses the Authenticate Tokencode; generated by the RSA SecurID Authenticate App. This is based on RSA's unique way of allowing tokencodes to be verified without network connectivity to the authentication server. What makes the MFA Agent's offline authentication even better than other solutions is the use of the same Authenticate Tokencode for both online or offline authentication. With our agent, an attacker cannot gain access to the machine console while malicious code cannot properly execute while the machine is offline. This is because most sensitive resources on an MFA Agent protected Windows machine requires a valid Authenticate Tokencode. To top it off, if users choose to login with an Authenticate Tokencode while online , they can also use the same device to generate an Authenticate Tokencode for login while offline.

 

This is what we do today with the classic Windows Agent using tokencodes generated by RSA's award-winning RSA SecurID tokens, deemed the Gold Standard for reliable and secure Offline Authentication. IT organizations cannot effectively secure and control a machine that is offline from an attacker that is either in front of the console, or already running as malicious code inside these machines. Large corporations and various governments globally have trusted it for many years to protect login to their most important Windows machines when offline; you can trust our MFA Agent to do the same for your whenever-wherever-machines.

 

Something Sweet For Servers Too

What about Windows Servers? Some equate non-portable Windows machines to never-offline-machines. What they learn is that servers can become offline due to a simple thing such as a patch applied gone wrong and simply un-assigns the server's IP address. Admins can only reconnect them to the network if they login to the server first. A lot of products out there will allow servers to "Fail Open" as a solution or even force admins to create a backdoor login account as  backup. Why find this acceptable? Use the all new MFA Agent to reliably secure server logins when offline, just like the rest of your whenever-wherever-machines.

 

Summary

As you go about evaluating a secure Windows Login solution, make sure you ask yourself "What happens to login when the machine is offline?" You will find that you either have to give up on security or convenience or both. Now, you don't have to anymore. With RSA, organizations can empower users with Convenient & Seamless Windows Secure Authentication - Untethered. For end users, this is like having your cake and eating it too - no strings attached.

 

Here is a typical scenario that is familiar with anyone owning a smartphone these days: The Next Best Thing is here! I just bought it so do I have to tell my IT admin to remove my old device from SecurID Access so that I can install and register the SecurID Access app on my new shiny toy I just bought?

 

The answer here is.... NO! Just follow these simple, easy-to-follow steps to unregister your old device from the SecurID Access database:

 

1) Open the SecurID Access App and go to the Via Tokencode screen. Click on the "gear" icon at the top right of the screen.

 

IMG_3696.PNG

 

2) A screen will show up displaying details about the current SecurID App. Under the Companies section, select the Company you wish to unregister from RSA SecurID Access. In the below example, I am going to remove Company "sp49".

 

IMG_3697.PNG

 

3) The Company Information screen will show up and the final step here is to click on the "Delete Company"" button.

 

IMG_3698.PNG

 

4) Now download the SecurID Access app to your new device and register it as you normally did with your old device.

 

There you have it. 4 easy steps to get your new device up and running in no time without needing any IT Admin help.

Filter Blog