Authentication Methods for Cloud Authentication Service Users

Document created by RSA Information Design and Development on Jul 13, 2016Last modified by RSA Product Team on Dec 11, 2019
Version 51Show Document
  • View in full screen mode

 

An authentication method is a credential a user provides or an action a user performs to prove his or her identity. This topic describes the authentication methods you can make available to users who are in identity sources that are configured for the Cloud Authentication Service.

There are two types of authentication: primary and additional. Users are challenged for primary authentication (for example, an LDAP password) when they initially attempt to access a protected resource. After the user is validated for primary authentication, the application's access policy determines if additional authentication (another credential) is required.

The following table lists all of the supported authentication methods, indicates whether the method can be used to access resources protected by the Cloud Authentication Service or an RSA Authentication Manager agent, and if the method can be used for primary or additional authentication.

Authentication MethodResources Protected ByUsed for Primary (P) or Additional (A) Authentication
Cloud Authentication ServiceRSA Authentication Manager Agent
LDAP Directory PasswordX P*
RSA SecurID TokenXXP*, A
RSA SecurID Authenticate TokencodeXXA
FIDO TokenX P*, A
Approve XXA
Device BiometricsX  
SMS TokencodeX A
Voice TokencodeX A
Emergency TokencodeX A

* For primary authentication, the following restrictions apply. LDAP password is supported in SSO Agent, RADIUS, and relying party (service provider) deployments. RSA SecurID Token is supported only in SSO Agent and relying party (service provider) deployments. FIDO Token is only supported in relying party deployments.

Integrating RSA Authentication Manager with the Cloud Authentication Service

Integrating RSA Authentication Manager with the Cloud Authentication Service lets you expand the number of resources you protect and the authentication options you make available to users. For instructions on integrating RSA Authentication Manager with the Cloud Authentication Service, see:

LDAP Directory Password

The LDAP directory password is used for primary authentication and to register devices. LDAP directory passwords are managed within the LDAP directory server. User records are synchronized from the LDAP directory server to identity sources in RSA SecurID Access. The Cloud Authentication Service must be able to reach your on-premise identity source for authentication to succeed.

RSA SecurID Token

The RSA SecurID Token method employs a one-time, randomly generated number called a tokencode. The tokencode is generated on a hardware or software token and is verified by your on-premise RSA Authentication Manager server. A Personal Identification Number (PIN) is often required. The tokencode is time-based and must be used before it expires. RSA SecurID Tokens are issued and revoked only through Authentication Manager.

This method can be used to access resources protected by the Cloud Authentication Service or by authentication agents in RSA Authentication Manager deployments.

RSA SecurID Authenticate Tokencode

Similar to RSA SecurID Tokens, RSA SecurID Authenticate Tokencode employs a one-time, randomly generated number called a tokencode. This tokencode is generated on a device where the RSA SecurID Authenticate app is installed. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. These tokencodes are valid for up to five minutes after they are generated and displayed on a user's device. The user is enrolled for this method automatically after device registration.

If your company has deployed both RSA SecurID Access and RSA Authentication Manager 8.2 or later, you can integrate the two products so that users can authenticate with RSA SecurID Tokens and RSA SecurID Authenticate Tokencodes on the same RSA Authentication Agent.

Protect Access to Authenticate Tokencode

You can require users to provide additional authentication to view the RSA SecurID Authenticate Tokencode. This setting takes effect 24 hours after it is enabled or after the user restarts the app. The user must tap or click View Tokencode on the app home screen and authenticate before viewing the tokencode.

The first time the user taps or clicks View Tokencode, the app prompts the user to create a PIN that is only used for viewing the Authenticate Tokencode. The PIN must be numeric, contain 4-10 digits, and cannot contain repeating or consecutive numbers, for example, 1111 or 1234. You can configure the minimum PIN length. For instructions, see Configure Session and Authentication Method Settings.

The PIN applies to the RSA SecurID Authenticate Tokencodes for all companies in the app. If users have multiple companies in the app, their minimum PIN length is the longest minimum PIN length of their companies.

On iOS and Android, if the user has set up biometrics, the app prompts the user to authenticate with a biometric (for example, fingerprint or Face ID) instead of using a PIN. The user can also choose to skip or cancel biometrics and enter the PIN. If the user fails biometrics or has not set up biometrics, then the app prompts the user to enter the PIN.

On Windows, the app prompts the user to authenticate with the PIN.

If the user enters an incorrect PIN five times, the PIN is locked and the user must reset the PIN. To reset the PIN, users must do the following:

  • On iOS or Android, the app prompts the user for device unlock credentials, such as a passcode. The user must set up device unlock credentials to reset the PIN.

  • On Windows, the app prompts the user to delete all companies that require authentication to view the tokencode and then re-register those companies.

The user can authenticate to view the tokencode with an online or offline device. However, if the user needs to reset the PIN on a Windows device, the user must be online. The user can reset the PIN online or offline on iOS or Android devices.

FIDO Token

The FIDO Token is a FIDO-certified security key. RSA SecurID Access supports FIDO2 and U2F compliant security keys. RSA SecurID Access supports FIDO Token for both primary (for example, the user is prompted to sign in with a FIDO token instead of entering a password after entering a user ID) and additional authentication (for example, after entering a user ID and password, the user is prompted to sign in with a FIDO token).

 

FIDO2 security keys can be used for primary authentication and additional authentication . U2F security keys can be used for additional authentication.  For a list of system requirements for the FIDO Token, see Cloud Authentication Service User Requirements.

 

Users must register their FIDO tokens before they can use them for authentication. Registration happens in one of two ways:

  • The first-time user clicks an icon for a protected application, enters an identity source password, inserts the FIDO Token, and, if required, taps the token. Subsequent authentications do not require a password. This is the default registration method.

  • The user goes to My Page to register the FIDO Token. Users authenticate to My Page according to the access policy protecting My Page. You can make My Page registration a requirement by enabling both My Page and FIDO Token registration in the Cloud Administration Console at Platform > My Page. After both functions are enabled, users can no longer register FIDO Tokens during first-time authentication.

 

Note the following requirements for using FIDO tokens for primary authentication:

  • The FIDO token must require user verification on the token, such as a PIN or biometric.
  • Users must set up the token user verification before accessing an application that requires FIDO Token.

  • Users must first register their FIDO Tokens with RSA SecurID Access when accessing an application where FIDO Token is used for additional authentication, for example, a service provider or My Page. Then users can use FIDO Token as a primary authentication method.

 

Note:  The FIDO Token might not work on browsers that run on a virtual machine.

Approve

When using Approve to access a cloud-protected resource, the user attempts to access the application and then is prompted to tap a button on a registered device. When using Approve to access an agent-protected resource, the user enters a PIN before tapping a button on an Authenticate device. In both cases, the user can also tap an interactive notification on the device or on an Apple Watch or Android Wear watch paired to the device. The user must respond within one minute, otherwise the method times out and is considered a failed authentication. The user is enrolled for this method automatically after Authenticate device registration.

This method can be used to access resources protected by the Cloud Authentication Service or by authentication agents in RSA Authentication Manager deployments.

Device Biometrics

Device Biometrics allows users to authenticate to applications using biometrics available on devices, such as, Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. Before using Device Biometrics, users must first set up biometrics on their devices. RSA SecurID Access does not force users to do this.

To use Device Biometrics on Windows 10 PCs, Windows Hello must be enabled. Also, keep in mind that users can sign in using a Hello PIN.

SMS Tokencode

SMS Tokencode is a six-digit code that RSA SecurID Access sends to the user's phone in an SMS message when the user attempts to access an application. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires three minutes after it is sent to the user. If it expires or the user does not receive it, the user can click Resend Tokencode. This method does not require device registration using the RSA SecurID Authenticate app.

When planning your available authentication methods, consider making SMS Tokencode available for emergency access when the user cannot use other methods, for example, when the user loses the RSA SecurID Token or cannot locate the device used to register the RSA SecurID Authenticate app.

Users can use SMS Tokencode if these criteria are met:

  • RSA has enabled this feature for your company.

  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).

  • A valid mobile phone number is stored for the user in the Cloud Authentication Service. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

For details on how SMS phone numbers are handled during identity source synchronization, see Identity Sources for the Cloud Authentication Service.

Voice Tokencode

Voice Tokencode is a six-digit code that RSA SecurID Access provides by calling the user's phone when the user attempts to access an application. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires three minutes after it is sent to the user. If it expires or the user does not receive it, the user can click Resend Tokencode. This method does not require a mobile device.

When planning your available authentication methods, consider making Voice Tokencode available for emergency access when the user cannot use other methods, for example, for users who do not have mobile phones or when the user loses the RSA SecurID Token.

Users can use Voice Tokencode if these criteria are met:

  • RSA has enabled this feature for your company.

  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).

  • A valid phone number (landline or mobile) is stored for the user in the Cloud Authentication Service. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

For details on how Voice Tokencode phone numbers are handled during identity source synchronization, see Identity Sources for the Cloud Authentication Service.

Emergency Tokencode

If a user forgets or misplaces a registered device, you can generate an Emergency Tokencode and provide it to the user. The next time the user attempts to access the protected resource, the user can select Emergency Tokencode from the list of available options. The tokencode is valid for the configured number of days (1-7).

Emergency Tokencode is displayed during authentication as an available option to the user only after you generate the tokencode for the user on the Users > Management page in the Cloud Administration Console. The tokencode is available to the user until it expires or you disable it. After a user selects Emergency Tokencode one time, it becomes the user's default method until one of the following occurs:

  • The tokencode expires.

  • An administrator disables the tokencode on the Users > Management page.

  • The user selects a different option which becomes the new default method.

Similar to other RSA SecurID Access authentication methods, Emergency Tokencode must be configured and published in your assurance levels and access policies before it can be used for authentication.

Note:  RSA recommends that you avoid adding Emergency Tokencode to the High assurance level. Doing so will make Emergency Tokencode available to your most sensitive applications.

If a user types the tokencode incorrectly, the number of allowed retries is configured in the Cloud Administration Console on the My Account > Company Settings > Session  & Authentication page.

For instructions on generating and disabling Emergency Tokencodes, see Manage Users for the Cloud Authentication Service.

 

 

 

 

 

 

We want your feedback! Tell us what you think of this page.

 

You are here

Table of Contents > Authentication Methods and Emergency Access > Authentication Methods for Cloud Authentication Service Users

Attachments

    Outcomes