RSA SecurID Access supports using FIDO2-Certified and U2F-compliant security keys as an authentication option. Additionally, RSA has partnered with Yubico to create the Yubikey for RSA SecurID Access. See RSA and Yubico.
RSA SecurID Access supports FIDO2 security keys for both primary (the passwordless user experience) and additional (or step-up) authentication and U2F keys only for additional authentication. FIDO primary authentication is only supported for service providers (SAML applications). See FIDO.
This document guides you through setting up and using security keys with RSA SecurID Access:
-
If you are a user authenticating to a protected application with a security key, see Using a Security Key to Authenticate to a Protected Application.
-
If you are an administrator setting up the Cloud Authentication Service for FIDO authentication, see Setting Up Cloud Authentication Service for Security Keys.
Using a Security Key to Authenticate to a Protected Application
Procedure
-
Set up your PIN or biometric for the security key, if supported by your security key.
Your administrator might instruct you to use the RSA Security Key Utility to create and manage the PIN for your security key:
-
Register your security key in RSA SecurID Access My Page:
-
Sign into My Page. Your IT administrator sends the My Page URL to you.
-
Select Security key from the drop-down list, and click Get Started.
-
Connect the security key and follow the instructions. For example, insert the security key into the USB port and tap the security key.
-
Change the name of the key if you like.
-
-
Authenticate to a protected application using your security key:
Setting Up Cloud Authentication Service for Security Keys
If you are an administrator, perform these steps to start using security keys with Cloud Authentication Service. These steps assume that you have an existing Cloud Authentication Service deployment.
Set Up FIDO in Cloud Administration Console
Before you begin
-
Review the system requirements for FIDO. See FIDO Authenticator Requirements.
- If you are using the RSA Security Key Utility to manage the security key PINs, deploy it to your users' computers. See Using RSA Security Key Utility.
Procedure
-
Confirm that FIDO is in the desired assurance level:
-
Confirm that you have an access policy that uses that assurance level:
-
Add a service provider:
-
Click Authentication Clients > Relying Parties > Add a Relying Party > Add next to Service Provider.
-
Determine if you want to use FIDO for primary authentication or additional authentication, or both.
If you want to use FIDO for primary authentication, add a service provider and specify FIDO as the primary authentication method. In the Authentication tab, select RSA SecurID Access manages all authentication. In the Primary Authentication Method drop-down list, select FIDO.
-
If you are using FIDO for additional authentication, in the Access Policy for Additional Authentication, select the policy that contains FIDO.
-
-
Enable FIDO authenticator registration in My Page:
Do a Test Authentication
Procedure
-
Register your security key in My Page. See Using a Security Key to Authenticate to a Protected Application.
-
Authenticate to your service provider to see it work. See the demo videos in Building on Passwordless Experience, extending FIDO2 support as Primary Authentication.
-
Confirm your test authentication in the User Event Monitor: