Users can access RSA SecurID protected resources with Authenticate Tokencode when the Cloud Authentication Service or the connection is temporarily unavailable or too slow. Users who authenticate with methods that are supported by the Authenticate app, such as Approve and Device Biometrics, are prompted for Authenticate Tokencode. This feature does not support forwarding RADIUS authentication to the Cloud Authentication Service or authentication to SaaS applications.
To use this feature, you must have a direct connection between RSA Authentication Manager 8.5 and the Cloud Authentication Service or a connection that uses the embedded identity router in Authentication Manager. You must enable this feature in the Cloud Authentication Service. For instructions, see Configure High Availability Tokencodes.
How High Availability Tokencodes Work
When High Availability Tokencodes are configured, Authentication Manager automatically downloads High Availability Tokencode records for each user who registered an authenticator with the Cloud Authentication Service. These records begin with MFA*, have unique serial numbers, and do not count against the user’s Authentication Manager license. Authentication auditing records use the new serial number.
When the Cloud Authentication Service is not available, the following events occur:
- Users who normally use Authenticate Tokencode, Approve, or Device Biometrics are prompted for Authenticate Tokencode.
- The access policy in the Cloud Authentication Service is not applied.
- The Authentication Manager lockout policy determines how many failed logon attempts users can make before their accounts are locked and if accounts can be unlocked automatically or by the administrator.
- Authentication Manager determines whether a user is enabled, disabled, or locked.
After the connection becomes available, Authentication Manager resumes authentication using the Cloud Authentication Service. Authentication Manager does not send the Cloud Authentication Service updated authentication data, such as information about a user's last successful authentication. User status information is available from the Cloud Authentication Service.
Most High Availability Tokencode processing occurs automatically, without any administrative tasks:
- Authentication Manager monitors the Cloud Authentication Service to determine whether it is reachable, and whether High Availability Tokencode records are needed. This information is recorded in log files.
- A batch job called "Authenticate Tokencode Sync Job" automatically updates High Availability Tokencode records at the same time each day. RSA assigns each customer deployment a synchronization time between 1:00 AM and 5:00 AM local time. Configuration is not required. The total records processed are recorded in the System Activity monitor and log files. The sync marker time attribute records the timestamp of the last synchronized record that is stored in the Authentication Manager internal database.