An authentication method is a credential that you provide or an action that you perform to prove your identity. For primary authentication, RSA SecurID Access supports the following methods.
|Deployment||Supported Authentication Methods|
|LDAP Directory Password, RSA SecurID Token|
|RADIUS for Cloud Authentication Service||LDAP Directory Password|
For additional authentication, after primary authentication has been satisfied, RSA SecurID Access supports the following methods.
|Deployment||Supported Authentication Methods|
RSA SecurID Authenticate Tokencode, RSA SecurID Token, Approve, Fingerprint Verification, Eyeprint Verification, SMS Tokencode
|RADIUS for Cloud Authentication Service|| |
Approve, RSA SecurID Token, RSA SecurID Authenticate Tokencode, Fingerprint Verification, Eyeprint Verification
|SSO Agent||RSA SecurID Authenticate Tokencode, RSA SecurID Token, Approve, Fingerprint Verification, Eyeprint Verification, FIDO Token|
|RSA Authentication Manager (authentication agents)||RSA SecurID Token, RSA SecurID Authenticate Tokencode|
The RSA SecurID Authenticate for Windows 10 app supports only RSA SecurID Authenticate Tokencode.
Note: If your company includes multiple deployment types, make sure your assurance levels contain enough options to support each type. For example, a deployment might support SSO Agent, RADIUS, and relying parties. An assurance level might allow FIDO Tokens for users gaining access through the SSO Agent, but it must provide additional options for users gaining access through RADIUS or relying parties.
LDAP Directory Password
The LDAP directory password is used for primary authentication and to register devices. LDAP directory passwords are managed within the LDAP directory server. User records are synchronized from the LDAP directory server to identity sources in RSA SecurID Access. The Cloud Authentication Service must be able to reach your on-premise identity source for authentication to succeed.
RSA SecurID Token
The RSA SecurID Token method employs a one-time, randomly generated number called a tokencode. The tokencode is generated on a hardware or software token and is verified by your on-premise RSA Authentication Manager server. A Personal Identification Number (PIN) is often required. The tokencode is time-based and must be used before it expires. RSA SecurID Tokens are issued and revoked only through Authentication Manager.
RSA SecurID Authenticate Tokencode
Similar to RSA SecurID Tokens, RSA SecurID Authenticate Tokencode employs a one-time, randomly generated number called a tokencode. This tokencode is generated on a device where the RSA SecurID Authenticate app is installed. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. The user is enrolled for this method automatically after device registration.
If your company has deployed both RSA SecurID Access and RSA Authentication Manager 8.2 or later, you can integrate the two products so that users can authenticate with RSA SecurID Tokens and RSA SecurID Authenticate Tokencodes on the same RSA Authentication Agent.
Additional Authentication to View Authenticate Tokencode
You can require users to provide additional authentication to view the RSA SecurID Authenticate Tokencode. This setting takes effect 24 hours after it is enabled or after the user restarts the app. The user must tap View Tokencode on the app home screen and authenticate before viewing the tokencode.
The first time the user taps View Tokencode, the app prompts the user to create a PIN:
iOS and Android: The Authenticate app prompts you to create a PIN that is only used for viewing the Authenticate Tokencode. The PIN must be numeric, contain 4-255 digits, and must not only contain repeating or consecutive numbers, for example, 1111 or 1234.
Windows: The Authenticate app instructs you to create a Windows Hello PIN only if you have not already created one.
Note: Windows Hello must be enabled, or users cannot authenticate to view the tokencode. To ensure that Windows Hello is enabled, work with your IT group.
The PIN applies to the RSA SecurID Authenticate Tokencodes for all companies in the app.
On iOS and Android, if the user has set up or registered fingerprints, the app prompts the user to authenticate with fingerprint. The user can also choose to skip Fingerprint Verification and enter the PIN. If the user fails Fingerprint Verification three times or the user has not set up or registered fingerprints, then the app prompts the user to enter the PIN. If the user enters an incorrect PIN five times, the PIN is locked and the user must reset the PIN. To reset the PIN, the app prompts the user for Fingerprint Verification or the password for the company requesting the tokencode. The user can authenticate to view the tokencode with an online or offline device. However, if the app prompts the user to enter the password to reset the PIN, the user must be online.
On Windows, Windows Hello manages the user authentication flow and resetting of authentication options.
The FIDO Token is a hardware authenticator that the user inserts into a USB port. Registration happens the first time a user clicks an icon for a protected application and follows the prompts in the browser. During registration, the user enters an identity source password, inserts the FIDO Token, and, if required, taps the token. Subsequent authentications do not require a password. The FIDO Token requires the Chrome browser version 40 or later.
RSA SecurID Access supports the FIDO (Fast IDentity Online) Alliance standards for Universal 2nd Factor (U2F). The U2F protocol strengthens password authentication by adding a physical token.
Note: The FIDO Token might not work on browsers that run on a virtual machine.
To use the Approve method, the user attempts to access the application and then is prompted to tap a button on an iOS or Android device. The user can also tap an interactive notification on the mobile device or on an Apple Watch or Android Wear watch paired to the device. The user must respond within one minute, otherwise the method times out and is considered a failed authentication. This method requires a mobile device where RSA SecurID Authenticate is installed. The user is enrolled for this method automatically after device registration.
The Fingerprint Verification method allows users to authenticate to applications using Apple Touch ID, Samsung Fingerprint, or Android version 6.0 fingerprint support. This method is only available on an iOS 8.0 or later device that supports Touch ID or a Samsung or Android version 6.0 or later device with a fingerprint sensor.
To use Fingerprint Verification, users must first set up Touch ID or register their fingerprints on their mobile devices. RSA SecurID Access does not force users to set up Touch ID or register their fingerprints on their mobile devices.
The Eyeprint Verification method allows users to authenticate to applications using EyeVerify's Eyeprint ID. This method is only available on iOS or Android devices supported by EyeVerify. For the list of supported devices, see http://www.eyeverify.com/supported-devices.
To use Eyeprint Verification, users must enroll in Eyeprint ID through the My Account screen. Users only see these menus if they have a supported device. Enrollment requires two to five Eyeprint Captures. If users do not complete enrollment after the fifth Eyeprint Capture, users are prompted to start the enrollment process again. Eyeprint data is stored locally on the device.
RSA SecurID Access does not force users to enroll in Eyeprint ID on their mobile devices. If the user is not enrolled in Eyeprint ID, RSA SecurID Access does not present Eyeprint ID as an authentication option to the user.
Users can recreate the Eyeprint to improve its quality if the users experience repeated authentication errors and unenroll Eyeprint ID if they no longer need this authentication method. Unenrollment deletes the Eyeprint data on the device. If users recreate the Eyeprint or unenroll Eyeprint ID, they must provide the password entered during device registration. For users who use the RSA SecurID Authenticate with multiple companies, they must provide the password of the first company in the app Companies list.
SMS Tokencode is a six-digit code that RSA SecurID Access sends to the user's phone in an SMS message when the user attempts to access an application. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. If it expires or the user does not receive it, the user can click Resend Tokencode. This method does not require device registration using the RSA SecurID Authenticate app.
When planning your available authentication methods, consider making SMS Tokencode available for emergency access when the user cannot use other methods, for example, when the user loses the RSA SecurID Token or cannot locate the device used to register the RSA SecurID Authenticate app.
Users can use SMS Tokencode if these criteria are met:
- RSA has enabled this feature for your company.
- Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).
- A valid mobile phone number is stored for the user in the Cloud Authentication Service. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.
For details on how SMS phone numbers are handled during identity source synchronization, see Identity Sources for the Cloud Authentication Service.