Skip navigation
All Places > Products > RSA SecurID Access > Blog > Author: Kenn Chong

RSA SecurID Access

5 Posts authored by: Kenn Chong Employee

Organizations today are reeling from decisions made at the start of the “New Normal”. These decisions were made during a rapidly deteriorating situation happening on a global scale, all in response to continually evolving mandates issued by different levels of government. Action on these decisions was swift, of the business simultaneously, and fundamentally changed how the business functioned on a day-to-day basis.

 

The New Normal results in a widely distributed Remote Workforce.

The Remote Workforce that must use the internet to access Corporate Resources.

Corporate Resources are accessed from the home office using All Available Machines.

The Machines that keeps the lines of business running in The New Enterprise.

 

As the “New Normal” begins to stabilize, organizations are starting to understand the impact of these changes. One such need is the ability of the remote workforce to securely log in to machines running macOS® and use them to access corporate resources. Prior to this, organizations had little appetite to secure these machines because their numbers were relatively small and easy to track and manage.

 

Today, these machines are used by the remote workforce in all parts of the world. They are connected to the internet using a variety of consumer grade networking equipment and broadband service providers. More importantly, there are no guarantees of physical access security to these machines. New problems are revealed as the lines of business continue to allow the use of macOS machines by the remote workforce. Solving them will require a New Enterprise Grade solution that can meet the needs of both users and administrators in the "New Enterprise".

 

Users need Convenient Login to macOS any time whether Online or Offline with No Fail-Open.

Administrators need Secure Login to macOS anytime whether Boot-Up or Wake-Up.

 

Announcing the Launch of RSA MFA Agent 1.0 for macOS

 

Today, RSA® proudly launches RSA MFA Agent 1.0 for macOS; an important step for a New Enterprise Grade endpoint protection solution. This agent is the culmination of many years of experience from securing Windows® and Linux® machines belonging to organizations of all sizes and verticals. You will discover that this agent fulfills the needs of both users and administrators while they adapt to the "New Enterprise". Additionally, you can learn how we do this for Windows and Linux machines in the “Eat More Cake!” blog and the Pluggable Authentication Module (PAM) announcement.     

 

Convenient Login Whether Online or Offline with "No Fail-Open"

 

Users want a quick and easy way to log in to macOS. Many users do not want to carry different devices all the time just to log in. They do not want to figure out if their macOS machines are connected to the internet just to log in with the right device. All they want is to carry one device and use one app to log in to their machines.

 

RSA MFA Agent for macOS lets users log in using a choice of Approve, Authenticate Tokencode, Emergency Access or RSA SecurID® Token that is convenient anytime the machine is online. Gone are the days when users get limited access to the machine when offline with our deliberate use of a "No Fail-Open" design. The agent automatically protects the offline machine using one of the most secure options, Authenticate Tokencode. Users can conveniently log in to their machines with this when offline, just as they do when online.

 

Secure Login Whether Boot-Up or Wake-Up

 

Users typically log in to their macOS machines at the log in or lock screen. Of these two places, users most frequently log in at the lock screen, because the machine automatically locks itself when the user has not interacted with it for a while. Examples of this include users stepping away for a short break or when moving to a new meeting room and reopening the laptop lid to use it. The log in screen by comparison happens only when the machine is turned on or restarted.  

 

Any secure desktop protection solution that uses a Fail-Open design without protecting the lock screen really takes the cake! Not only can someone gain access to the machine by figuratively pulling the network cable, they can stay logged in with just the username and password. Requiring users to login with Authenticate Tokencode using our innovative "No Fail-Open" design, preventing login bypass, at both log in and lock screens, even when the machine has no connectivity, is how we do it better.

 

Ending on a Sweet Note

 

As we enter the "New Enterprise" era, organizations are reevaluating their Identity and Access Management (IAM) solutions in use more than ever. They will not accept so-called "Enterprise Grade" solutions that favor convenience or security at the expense of the other while operating in the "New Enterprise". They want to have their cake and eat it too. With RSA SecurID Access, organizations can get a convenient and secure solution that is balanced, but getting one that is New Enterprise Grade is just icing on the cake.

 

 

With governments worldwide implementing various travel restrictions and guidelines for its citizens lately, organizations and their employees are learning to live with the New Normal: essential businesses, social distancing, remote learning, and work from home.

 

Organizations today are also learning to deal with the realities of operating in this new environment.

 

The Home Office is now The Office for employees

The Internet is now The Corporate Network for admins

The New Normal is now Business As Usual for Lines Of Businesses (LOBs)

 

LOBs have highlighted an urgent need for employees to conveniently and securely access critical resources from The Home Office, over The Internet, during The New Normal; as they develop business resiliency while simultaneously enabling a large remote workforce. In some cases, employees may require accessing these work resources from just about any machine that is made available to them at any given point in time.

 

Let us take a look at what is new with RSA SecurID Access in 2020 that organizations can use to achieve these goals. 

 

FIDO Authentication

 

Enterprise interest in FIDO as a secure and convenient authentication method for employees to utilize anywhere on any machine is increasingly growing; recognizing that it can provide a means to achieve this goal with devices that are portable and easy-to-use. As organizations begin incorporating FIDO as part of their Identity and Access Management (IAM) strategy, they turn to us as their premier Identity and Access Management (IAM) solution provider to offer not just any FIDO authentication solution, but an Enterprise Grade FIDO authentication solution. Below are some examples of how we do it better:

      

  • Certification of the RSA SecurID Access Cloud Authentication Service (CAS) as a FIDO2 Certified Server - January 2020
  • Verification of the integrity and authenticity of FIDO-certified security keys listed with the FIDO Alliance Metadata Service (MDS) - January 2020
  • Support for Windows Hello enabled devices and compatible Android phones as FIDO authenticators - February 2020
  • The release of the YubiKey for RSA SecurID Access - a hardware based FIDO authentication solution that provides superior defense against phishing, eliminates account takeovers, and reduces IT costs - March 2020
  • The release of RSA Security Key Utility, a Windows utility that can be deployed on users' WIndows machines to manage user verification for any FIDO2-certified security key - March 2020

 

 

RSA SecurID Authenticate Mobile App

 

Aside from the FIDO enhancements above, we have also continued to strengthen the security of our RSA SecurID Authenticate mobile app. With our app being installed on employee owned Bring-Your-Own-Devices (BYOD), IT admins are always concerned with the security and integrity of the underlying devices used to run the Authenticate app. With this in mind, some enhancements made to the Authenticate app to alleviate these concerns. These enhancements include:

 

  • Jailbreak Detection for the RSA SecurID Authenticate 3.2 for iOS - January 2020
  • Enhanced compliance checks for the RSA SecurID Authenticate 3.3 for Android. This ensures that the device is not rooted before allowing use of the app - March 2020

 

Our customers have relied on the RSA Authentication Manager (AM) server to reliably protect their mission critical infrastructure with RSA SecurID Tokens for many years. One notable enhancement made as part of Patch 9 in January 2020 is to allow users to authenticate to applications using biometrics available on their devices, such as Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. This feature is available if customers use the Security Console wizard to connect the AM to CAS. For instructions, see Connect RSA Authentication Manager to the Cloud Authentication Service.  

 

Easier Setup and Management

 

To make it easy for our CAS admins to setup and manage users, the following enhancements have been implemented:

 

 

Miscellaneous

 

Lastly, as a reminder to our customers using CAS, the IP addresses for CAS and the Cloud Administration Console will be changing soon. We recommend that customers make any necessary firewall changes to allow identity routers and user browsers to connect to these new IP addresses. To prevent service disruption, customers' network must be able to connect to both the existing and new IP addresses according to the table below:

 

RegionNew IP Addresses
ANZ

20.37.53.30,

20.39.99.202

EMEA

51.105.164.237,

52.155.160.141

US

52.188.41.46,

52.160.192.135

 

Closing

 

As organizations continue adapting to the needs of a dynamic and growing remote workforce, they expect vendors to offer solutions that can keep up with them. We hope our customers will take advantage of enhancements announced above to provide employees with a convenient and secure way to access critical resources from The Home Office, over The Internet, during The New Normal with an Enterprise Grade IAM solution.  

Over a year ago, RSA proudly launched the RSA SecurID Access My Page user self-service portal. It is our cloud-hosted self-service portal designed to help users easily register and conveniently manage their own authentication devices without any help from the IT Help Desk. However, ease and convenience does not equate to reduction in security. Utilizing our experience implementing user self-service features, we want to make sure that users do not end up being the weakest link. That is the vision for My Page, a place where users can securely register and manage their own authentication devices. This makes for Happy Users, and Even Happier Administrators.

 

Continue reading to find out how this is done in the RSA SecurID Access August 2019 Cloud Authentication Service Release. 

 

Improvements and Additional Configuration Options for My Page

 

The goal of an application portal is to provide users with a centralized place to access the applications needed on a daily basis, while at the same time allowing admins to control which applications users can access. This boosts user productivity when using multiple applications daily and increases security by governing the use of corporate applications. 

 

Customers now have the flexibility to provide access to RSA SecurID Access My Page through third-party application portals of their choice including the RSA SecurID Access Application portal. This makes it even easier for users to find My Page when managing their own authentication devices.   

 

Additional My Page options are now available, such as setting the destination page users go to after signing out of My Page or when they encounter an error. This allows users to stay within the same corporate virtual environment after managing their devices and to easily get help when needed.

 

 

Improved Single Sign-On Option When Adding a Service Provider

 

One way to promote usability and ease of use is to ensure a consistent look and feel across applications deployed within the organization. This is especially important for basic tasks such as user authentication required before using each application because a user can potentially authenticate to as many as 10 different applications during a typical workday.  

 

Admins also have concerns with user credentials being submitted outside of the corporate network. This is due to the possibility of the user's traffic being intercepted or even key logging malware installed on remote machines. The concern is even greater with self-service registered device management features designed to allow users to do it anywhere and anytime.

 

To promote ease of use and increase security posture, customers can now use their own cloud identity provider as the primary authentication option for My Page. At the same time, admins can also be assured that all My Page user credentials are securely submitted for authentication. This is achieved by enabling the new SAML based IdP initiated option for My Page user authentication.

 

Now, users can easily authenticate to My Page with the same look and feel as other corporate apps they use daily. At the same time, credentials are securely submitted within a controlled trusted corporate network that is handled by a service external to RSA that  may very well be firewall-protected.

 

IT Help Desk Assisted Secure Device Registration

 

No matter how self-service a feature can be designed, some may still offer an admin assisted device registration option. Don't forget, registration issues may still happen and users still end up calling their IT Help Desk for further assistance. Since one of the goals of My Page is to help users register their own devices, only the user has access to information needed for device registration and not the admin. The user could screen-share their desktop with the admin during the help call; however, there should be an easier way to do this.

 

 

Admins can generate a code with a click of a button in the User Management section of the Cloud Administration Console. Admins can then provide this code to users over the phone. This can be used as part of an admin-assisted device registration process and even during registration troubleshooting because the generated one-time-use code is valid for a limited amount of time. 

 

Additional Deployment Option for RSA SecurID Authenticate for Windows

 

We are aware that some customers are restricting users from getting Windows Apps through the Microsoft Store. Instead, they prefer that these apps be distributed centrally similar to how it is traditionally done with other Windows apps in-use today. Admins can now use Deployment Image Servicing and Management (DISM) to deploy the app from a command-line tool. After the app is deployed, users can then complete RSA SecurID Authenticate device registration.  

 

For more information on these and other new features in the August 2019 RSA SecurID Access release, see the August 2019 Release Notes.

The Birth of Portable Computing

Computing in the modern world has changed drastically. Gone are the yesteryears when computers were big machines the size of your closet that is not very portable. Today, users demand portable computing whenever and wherever. In the Enterprise, efficiency is key. IT organizations are now open to provision more mobile devices such as smartphones, laptops and even tablets. This enables employees to be that much more productive on the go and ensures them reliable access to what they need; whenever, wherever.

 

Portable Computing Needs Untethered Security

IT organizations today recognize the need to secure these machines. However, what they fail to recognize is that these machines are often offline for many reasons. As an example, you need to login to your Windows laptop quickly because you are late for a very important customer call. However, your laptop is offline when you try to login; It is still trying to connect to the company network. Maybe, you are getting updated reports periodically about an urgent issue because you are mid-flight towards a remote data-center attempting to fix it. You want to be ready to go as soon as you land. However, your Windows tablet is offline because WiFi on-board is not freely available. Better yet, you need to login to your laptop quickly and email over a freshly signed Sales Order; all this to seal the deal before close of business. However, because you are onsite at that customer's office, your laptop is offline and has not connected to their Guest WiFi network at all.

 

These instances requires you to login first before establishing a network connection.You are effectively locked out of your machine if login while offline is not allowed. What then? Do we just create a backdoor Just-In-Case (a.k.a. Fail Open) login account? The answer cannot simply just be " No Network, No Secure Login Needed" for these whenever-wherever-machines.

 

Convenient & Seamless Windows Login Untethered, The RSA Way

Introducing, the All New RSA Multi-Factor Authentication (MFA) Agent for Microsoft Windows. This is our vision for users to securely and reliably login to Windows machines that is Convenient and Seamless whether Online or Offline. Anyone can claim that their product is reliable. This is because if something goes wrong, they can depend on users easily getting online and even stay online reliably while standing still.  These machines in the above examples are offline and  cannot connect to the authentication server to complete authentication. However, the user cannot get the machine back online unless they can login first. Good luck telling them to go to the nearest company office location just to login again.

 

This agent is designed from the ground up with the strength of the RSA Authentication Agent for Microsoft Windows (a.k.a Windows Agent); the convenience and secure modern authentication options of the RSA SecurID Access Cloud Authentication Service (CAS); all to secure Windows workstation and server logins.Not only is the ability for users to authenticate with different modern authentication methods that makes this agent unique; it is the ability for users to login Online or Offline, to their machines with the same authentication device and the same login experience. Imagine having to login multiple times a day and deciding which device to use for login all the time. You want convenient login and IT admins want secure login to your whenever-wherever-machines.

 

How RSA Does It... Better

The MFA Agent's Offline Authentication uses the Authenticate Tokencode; generated by the RSA SecurID Authenticate App. This is based on RSA's unique way of allowing tokencodes to be verified without network connectivity to the authentication server. What makes the MFA Agent's offline authentication even better than other solutions is the use of the same Authenticate Tokencode for both online or offline authentication. With our agent, an attacker cannot gain access to the machine console while malicious code cannot properly execute while the machine is offline. This is because most sensitive resources on an MFA Agent protected Windows machine requires a valid Authenticate Tokencode. To top it off, if users choose to login with an Authenticate Tokencode while online , they can also use the same device to generate an Authenticate Tokencode for login while offline.

 

This is what we do today with the classic Windows Agent using tokencodes generated by RSA's award-winning RSA SecurID tokens, deemed the Gold Standard for reliable and secure Offline Authentication. IT organizations cannot effectively secure and control a machine that is offline from an attacker that is either in front of the console, or already running as malicious code inside these machines. Large corporations and various governments globally have trusted it for many years to protect login to their most important Windows machines when offline; you can trust our MFA Agent to do the same for your whenever-wherever-machines.

 

Something Sweet For Servers Too

What about Windows Servers? Some equate non-portable Windows machines to never-offline-machines. What they learn is that servers can become offline due to a simple thing such as a patch applied gone wrong and simply un-assigns the server's IP address. Admins can only reconnect them to the network if they login to the server first. A lot of products out there will allow servers to "Fail Open" as a solution or even force admins to create a backdoor login account as  backup. Why find this acceptable? Use the all new MFA Agent to reliably secure server logins when offline, just like the rest of your whenever-wherever-machines.

 

Summary

As you go about evaluating a secure Windows Login solution, make sure you ask yourself "What happens to login when the machine is offline?" You will find that you either have to give up on security or convenience or both. Now, you don't have to anymore. With RSA, organizations can empower users with Convenient & Seamless Windows Secure Authentication - Untethered. For end users, this is like having your cake and eating it too - no strings attached.

 

Here is a typical scenario that is familiar with anyone owning a smartphone these days: The Next Best Thing is here! I just bought it so do I have to tell my IT admin to remove my old device from SecurID Access so that I can install and register the SecurID Access app on my new shiny toy I just bought?

 

The answer here is.... NO! Just follow these simple, easy-to-follow steps to unregister your old device from the SecurID Access database:

 

1) Open the SecurID Access App and go to the Via Tokencode screen. Click on the "gear" icon at the top right of the screen.

 

IMG_3696.PNG

 

2) A screen will show up displaying details about the current SecurID App. Under the Companies section, select the Company you wish to unregister from RSA SecurID Access. In the below example, I am going to remove Company "sp49".

 

IMG_3697.PNG

 

3) The Company Information screen will show up and the final step here is to click on the "Delete Company"" button.

 

IMG_3698.PNG

 

4) Now download the SecurID Access app to your new device and register it as you normally did with your old device.

 

There you have it. 4 easy steps to get your new device up and running in no time without needing any IT Admin help.

Filter Blog

By date: By tag: