Getting Started with FIDO-Certified Security Keys with RSA SecurID Access

RSA SecurID Access supports using FIDO2-Certified and U2F-compliant security keys as an authentication option. Additionally, RSA has partnered with Yubico to create the Yubikey for RSA SecurID Access. See RSA and Yubico.

RSA SecurID Access supports FIDO2 security keys for both primary (the passwordless user experience) and additional (or step-up) authentication and U2F keys only for additional authentication. FIDO primary authentication is only supported for service providers (SAML applications). See FIDO.

This document guides you through setting up and using security keys with RSA SecurID Access:

• If you are a user authenticating to a protected application with a security key, see Using a Security Key to Authenticate to a Protected Application.

• If you are an administrator setting up the Cloud Authentication Service for FIDO authentication, see Setting Up Cloud Authentication Service for Security Keys.

Using a Security Key to Authenticate to a Protected Application

Procedure 

1. Set up your PIN or biometric for the security key, if supported by your security key.

   Your administrator might instruct you to use the RSA Security Key Utility to create and manage the PIN for your security key:

   1. Click Start > RSA > RSA Security Key Utility.

      Depending on your configuration, Windows might present User Account Control (UAC) screens to request administrative credentials.

   2. Insert the security key.

      

   3. Click Create PIN.

      

   4. Enter your PIN in both fields, and click Submit.

      

2. Register your security key in RSA SecurID Access My Page:

   1. Sign into My Page. Your IT administrator sends the My Page URL to you.

   2. Select Security key from the drop-down list, and click Get Started.

      

   3. Connect the security key and follow the instructions. For example, insert the security key into the USB port and tap the security key.

      

   4. Change the name of the key if you like.

      

3. Authenticate to a protected application using your security key:

   1. Open the protected application.

   2. Connect the security key and follow the instructions. For example, insert the security key into the USB port and tap the security key.

      

Setting Up Cloud Authentication Service for Security Keys

If you are an administrator, perform these steps to start using security keys with Cloud Authentication Service. These steps assume that you have an existing Cloud Authentication Service deployment.

• Set Up FIDO in Cloud Administration Console
• Do a Test Authentication

Set Up FIDO in Cloud Administration Console

Before you begin 

• Review the system requirements for FIDO. See FIDO Authenticator Requirements.

• If you are using the RSA Security Key Utility to manage the security key PINs, deploy it to your users' computers. See Using RSA Security Key Utility.

Procedure 

1. Confirm that FIDO is in the desired assurance level:

   1. In the Cloud Administration Console, click Access > Assurance Levels.

   2. Add or move FIDO to the desired assurance level.

      

2. Confirm that you have an access policy that uses that assurance level:

   1. Click Access > Policies.

   2. Click Edit for the policy.

   3. In the Rules Sets tab, confirm that FIDO is listed in Authentication Options.

      

3. Add a service provider:

   1. Click Authentication Clients > Relying Parties > Add a Relying Party > Add next to Service Provider.

   2. Determine if you want to use FIDO for primary authentication or additional authentication, or both.

      If you want to use FIDO for primary authentication, add a service provider and specify FIDO as the primary authentication method. In the Authentication tab, select RSA SecurID Access manages all authentication. In the Primary Authentication Method drop-down list, select FIDO.

      

   3. If you are using FIDO for additional authentication, in the Access Policy for Additional Authentication, select the policy that contains FIDO.

      

4. Enable FIDO authenticator registration in My Page:

   1. Click Platform > My Page.

   2. Under Configuration, select Users can register FIDO authenticators in My Page and select Security key.

      

Do a Test Authentication

Procedure 

1. Register your security key in My Page. See Using a Security Key to Authenticate to a Protected Application.

2. Authenticate to your service provider to see it work. See the demo videos in Building on Passwordless Experience, extending FIDO2 support as Primary Authentication.

3. Confirm your test authentication in the User Event Monitor:

   1. Click Users > User Event Monitor.

   2. Look for the success entry: