Quarterly Prime News: January 2020

Document created by RSA SecurID Access Prime Team Employee on Jan 23, 2020
Version 1Show Document
  • View in full screen mode

Over the past 12 months RSA Professional Services has worked closely with the RSA Product Team and made substantial progress in extending functionalities within RSA SecurID Access Prime (formerly AM Prime) to encompass the RSA Cloud Auth Service and newer MFA methods as well as Authentication Manager and traditional SecurID tokens.  Below we outline these updates and highlight the value that these updates provide. 


Prime Self-Service Portal

Earlier in 2019, a new SSP badge was added to support self-service functions related to the RSA Cloud Authentication Service and RSA Authenticate mobile MFA. 


Substantial improvements and refinements have also been made for self-service of Windows AD passwords, bringing additional customer value to Prime SSP as a "one-stop shop" for authentication credential self-service -- across traditional RSA hardware and software tokens, on-demand authenticators, modern RSA mobile authenticators, and Windows domain passwords.


Let's take a deeper look into the details of these Prime SSP enhancements...

(click on image to enlarge)

RSA SecurID Authenticate Badge Functionality


(click on image to enlarge)

Prime SSP supports a guided process for users to enroll their mobile device with the RSA Cloud Authentication Service, whether transitioning from an existing RSA authenticator, onboarding as a net new RSA user, or any scenario in between. 


Once enrolled the Authenticate badge, pictured at left, will be visible to the end-user in their SSP dashboard view and the user now has the ability to:

  • Trigger a test authentication to their mobile device.
  • Edit their mobile number for SMS or voice.
  • Un-enroll their mobile device, in the event of mobile device replacement

Windows AD Password Self-Service

Numerous improvements to AD Password self-service have been made both within the SSP User Interface (UI) and "under-the-hood" with the goal to streamline the end-user experience and to make pertinent details and tasks more readily accessible and obvious to the user.

  • Once authenticated within the portal, the user account is automatically unlocked (optional configuration)
  • User details are surfaced to show AD account status and password expiration date.
  • Test AD Authentication supports "change password at next log on" scenarios.
  • Reset Password workflow allows for change/reset of user AD password.


(click on image to enlarge)

Added End-User Assistance Features

(click on image to enlarge)

A new tab has been added to SSP that allows customers to locate their own "How to..." help, troubleshooting, and tutorial information within the portal itself.  The contents of this tab are fully customize-able HTML and can include graphics and videos.


Additionally, more mouse-over "tool tips" have also been implemented for various SSP fields and buttons to provide contextual guidance to end-users.


Prime Help Desk Admin Portal

HDAP now provides customers' front-line Help Desk staff with a "single pane of glass" to view all end-user RSA authenticators and authentication activity across the full RSA SecurID Access platform -- Authentication Manager and the RSA Cloud Authentication Service.


HDAP can be leveraged to initiate "one-time use" email invitations for user device enrollment with the RSA Cloud Authentication Service. 

(click on image to enlarge)

End-User Identity Verification Through MFA

HDAP provides help desk personnel with the ability to trigger an RSA Cloud Authentication event to an end-user's device to do a real-time user identity verification and device proof-of-possession check:


1. End-User initiates call to the Help Desk to get further assistance troubleshooting an issue with their access.


2. After looking up and verbally vetting the End-User, the Help Desk Representative triggers an MFA event to the End-User's enrolled mobile device by clicking "Verify Identity" button in HDAP and choosing the authentication method to apply.


3. End-User receives a request to authenticate via the Help Desk-selected method on their enrolled mobile device.  In this case, the Help Desk Representative elected to challenge based on the user's fingerprint.

4. Help Desk Representative receives confirmation the End-User authentication was successful and can now continue the call with the confidence of strong identity assurance!


Consolidated Viewing of User Authentication Activity

(click on image to enlarge)

HDAP can display a consolidated user authentication history across both Authentication Manager and the RSA Cloud Authentication Service so that Help Desk personnel can quickly zero-in on the user's activity and issue without having to concern themselves with which type of authenticator the end-user has or which back-end system the authentication request is hitting. 


There is an option for the HDAP user to filter by: AM & CAS, AM Only or CAS only.


Prime Windows Credential Provider

A Windows 10-compatible Credential Provider has been added to the Prime software package to facilitate RSA authenticator onboarding and forgot password/PIN scenarios when the End-User is not on the corporate network to access self-service (Prime SSP, MyPage, or other).  RSA strong authentication is used within these workflows to gain "off-network" access to authorized self-service functions.


Used in combination with the new Windows MFA Agent, the Prime tools can provide a compelling piece of the RSA story to take large Enterprise organizations on the journey to password-less authentication.

(click on image to enlarge)

Other Items of Note

The Professional Services team is actively working to make the PrimeKit installation package the official customer distribution for the RSA SecurID Access Prime software package.


Contact your RSA Sales Representative if you are interested to learn more about the RSA SecurID Access Prime package and feature updates.