Assurance Levels

Document created by RSA Information Design and Development on Jul 13, 2016Last modified by RSA Information Design and Development on Sep 15, 2017
Version 19Show Document
  • View in full screen mode

Assurance levels define the authentication methods required to access applications or authentication clients (relying party or RADIUS client) during authentication. RSA SecurID Access provides three assurance levels: High, Medium, and Low. Each level indicates the relative strength and security of the authentication methods within that level.

You can configure authentication options for each assurance level. An option can be a standalone authentication method such as Fingerprint, or it can combine two methods connected by AND operators, such as RSA SecurID Token and Approve. RSA SecurID Access provides default options for each assurance level, but you can add or remove options using the Cloud Administration Console.

How Assurance Levels Are Used During Authentication

The access policy for an application or authentication client specifies an assurance level if the application requires additional authentication. To access the application or authentication client, users must successfully authenticate using one option from that assurance level or a higher assurance level. For example, if Concur is protected by a policy named Inside Network and the policy specifies the Medium assurance level, then users accessing Concur must authenticate using an authentication method defined for the Medium or High level.

The first option listed for an assurance level on the Assurance Levels page is presented as the default for each new user when he or she authenticates to an application or client assigned to that assurance level for the first time. A user can select another option at any time, as long as the assigned assurance level or a higher assurance level contains additional options that the user can complete. When a user successfully authenticates with an option, that option becomes the user's default for future authentications for that assurance level.

If users cannot use the default option in an assurance level and are authenticating to an assurance level for the first time, RSA SecurID Access presents the next possible option in the list for the users to complete. For example, if the default option is Authenticate Tokencode and the users have not registered Authenticate devices, then RSA SecurID Access skips the default option and displays the next non-Authenticate option in the list, such as RSA SecurID Token.

If users cannot complete any options, then the users see "Contact your administrator," "Authentication failed," or a message to install and register the Authenticate app. To avoid this situation, ensure that users can authenticate with at least one option from each assurance level that they will use. For example, if only a subset of users have Authenticate devices, include non-Authenticate authentication options (for example, RSA SecurID Token) in higher assurance levels. Or if a subset of users have Windows devices, include Authenticate Tokencode as an option in assurance levels because that is the only supported authentication method for Windows devices.

After the authentication method is locked, the authentication method times out, or users have three unsuccessful authentication attempts in a RADIUS deployment, users are automatically prompted to select a different method, retry, or cancel. For more information about lockout, see Authentication Method Lockout.

For a detailed description of how the assurance level evaluation process works, see Evaluating Assurance Levels and Primary Authentication Status to Return Authentication Methods. Although applications in SSO Agent deployments do not use the Authentication API, the general flow described in this topic is applicable.

Assurance Levels and SSO

In SSO Agent deployments, after users authenticate to a specific assurance level, users can access any application that allows access through access rules and uses the same assurance level or lower without providing additional forms of authentication, as long as the session is active. For example, if users successfully authenticate using an option defined for the Medium level, then the users in the same sessions can access other applications that require options for the Medium or Low levels.

If users successfully authenticate with an option from a higher assurance level than is required by the access policy, the users can still only access applications that use the same required assurance level or lower without completing additional authentication. For example, if an application requires the Low level and users successfully authenticate using an option defined for the Medium level, then the users in the same sessions can seamlessly access other applications that require options for the Low level but not the Medium level.

In relying party and RADIUS deployments, users must authenticate when accessing each relying party or RADIUS client.

Preconfigured Options for Assurance Levels

RSA SecurID Access provides the following preconfigured options for assurance levels. You can select each option once in your assurance level configuration.

                                                               
Authentication MethodsWhen to Use
RSA SecurID TokenFor users who are assigned an RSA SecurID hardware or software token.
Fingerprint For users with an iOS 8.0 or later device that supports Touch ID or a Samsung or Android version 6.0 or later device with a fingerprint sensor, have completed device registration using the RSA SecurID Authenticate app, and have set up or registered fingerprints.
Approve For users who have an iOS or Android mobile device and have completed device registration using the RSA SecurID Authenticate app.
RSA SecurID Authenticate Tokencode For users who have completed device registration using the RSA SecurID Authenticate app.
SMS Tokencode

For users who have a phone that can receive SMS messages. Does not require device registration using the RSA SecurID Authenticate app.

Only supported in relying party deployments.

FIDO Token

For users who have a FIDO Token.

Only supported in SSO Agent deployments.

Eyeprint ID™For users who have an iOS or Android mobile device that meets the EyeVerify system requirements, have completed device registration using the RSA SecurID Authenticate app, and have enrolled in Eyeprint ID.
RSA SecurID Token and Approve

For users who are assigned an RSA SecurID hardware or software token, have an iOS or Android mobile device, and have completed device registration using the RSA SecurID Authenticate app.

Only supported in relying party and SSO Agent deployments.

RSA SecurID Token and Eyeprint ID

For users who are assigned an RSA SecurID hardware or software token, have an iOS or Android mobile device that meets the EyeVerify system requirements, have completed device registration using the RSA SecurID Authenticate app, and have enrolled in Eyeprint ID.

Only supported in relying party and SSO Agent deployments.

RSA SecurID Token and Fingerprint

For users who are assigned an RSA SecurID hardware or software token and have an iOS 8.0 or later device that supports Touch ID or a Samsung or Android version 6.0 or later device with a fingerprint sensor, have completed device registration using the RSA SecurID Authenticate app, and have set up or enrolled fingerprints.

Only supported in relying party and SSO Agent deployments.

FIDO Token and Approve

For users who have a FIDO Token, have an iOS or Android mobile device, and have completed device registration using the RSA SecurID Authenticate app.

Only supported in SSO Agent deployments.

FIDO Token and Eyeprint ID

For users who have a FIDO Token and have an iOS or Android mobile device that meets the EyeVerify system requirements, have completed device registration using the RSA SecurID Authenticate app, and have enrolled in Eyeprint ID.

Only supported in SSO Agent deployments.

FIDO Token and Fingerprint

For users who have a FIDO Token and an iOS 8.0 or later device that supports Touch ID or a Samsung or Android version 6.0 or later device with a fingerprint sensor, have completed device registration using the RSA SecurID Authenticate app, and have set up or enrolled fingerprints.

Only supported in SSO Agent deployments.

 

 

You are here
Table of Contents > Assurance Levels > Assurance Levels

Attachments

    Outcomes