Authentication Methods for Cloud Authentication Service Users

Document created by RSA Information Design and Development Employee on Jul 13, 2016Last modified by RSA Information Design and Development Employee on Nov 17, 2020
Version 67Show Document
  • View in full screen mode
  

An authentication method is a credential a user provides or an action a user performs to prove his or her identity. This topic describes the methods used for multifactor authentication (MFA) that you can make available to users who are in identity sources that are configured for the Cloud Authentication Service.

The following table lists the methods available to Cloud Authentication Service users and indicates whether the method can also be used to access resources protected by an RSA Authentication Manager agent.

                                                             
Authentication Method Use to Access Resources Protected By
Cloud Authentication Service RSA Authentication Manager Agent
FIDO X 
RSA SecurID Token XX
RSA SecurID Authenticate Tokencode XX
Emergency Tokencode XX
Approve (Push Notifications) XX
Device Biometrics XX
SMS Tokencode XX
Voice Tokencode XX
LDAP Directory Password X 

You can expand the number of resources you protect and the authentication options you make available to users by integrating RSA Authentication Manager with the Cloud Authentication Service. For more information, see Connect RSA Authentication Manager to the Cloud Authentication Service (Authentication Manager 8.4 Patch 4 or later), Enable RSA Authenticate App Users to Access Resources Protected by RSA Authentication Manager (Authentication Manager 8.4 Patch 3 and earlier), and Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service.

 
 

FIDO

RSA SecurID Access supports the following FIDO-certified third-party authenticators:

RSA SecurID Access supports FIDO authenticators for both primary (for example, the user is prompted to sign in with a FIDO authenticator instead of entering a password after entering a user ID) and additional authentication (for example, after entering a user ID and password, the user is prompted to sign in with a FIDO authenticator).

FIDO2 security keys, Windows Hello, and Android phone can be used for primary authentication and additional authentication. U2F security keys can be used for additional authentication. For a list of system requirements for FIDO authenticators, see Cloud Authentication Service User System Requirements.

Note:  The Cloud Administration Console dashboard displays the total number of users in your deployment with third-party FIDO authenticators. This count includes users with RSA-branded Yubico security keys.

FIDO Registration

Users must register their FIDO authenticators before they can use them for authentication. Registration happens in one of two ways for security keys:

  • The first-time user clicks an icon for a protected application, enters a username and identity source password, connects the FIDO authenticator, and, if required, taps the key. Subsequent authentications do not require a password. This is the default registration method.

  • The user goes to My Page to register the FIDO authenticator. Users authenticate to My Page according to the access policy protecting My Page. You can make My Page registration a requirement by enabling both My Page and FIDO authenticator registration in the Cloud Administration Console at Platform > My Page. After both functions are enabled, users can no longer register FIDO authenticators during first-time authentication. For more information, see Manage My Page.

Registration for Windows Hello and Android phone can only be done in My Page.

Requirements for Using FIDO for Primary Authentication

Note the following requirements for using FIDO authenticators for primary authentication:

  • The FIDO authenticator must support user verification, such as a PIN or biometric. The user completes this verification as part of FIDO authentication.
  • Users must set up the FIDO user verification before accessing an application that requires FIDO authenticators.

  • Users must first register their FIDO authenticators with RSA SecurID Access when accessing an application where FIDO authenticators are used for additional authentication, for example, a service provider or My Page. Then users can use FIDO authenticators as a primary authentication method.

  • FIDO authenticators can be used for primary authentication only in relying party deployments.

FIDO2 Certification

The Cloud Authentication Service is a FIDO2 Certified Server. The certification demonstrates compliance with the FIDO specification and ensures compatibility with any FIDO-certified security key.

As part of this certification, the Cloud Authentication Service checks the integrity of the security key response message during registration. If the response message is modified on its way to the Cloud Authentication Service, the registration is unsuccessful.

Additionally, the Cloud Authentication Service verifies the integrity and authenticity of FIDO-certified security keys listed with the FIDO Alliance Metadata Service (MDS). The Cloud Authentication Service rejects MDS-listed keys if detected as counterfeit or compromised.

 

RSA SecurID Token

The RSA SecurID Token method employs a one-time, randomly generated number called a tokencode. The tokencode is generated on a hardware or software token and is verified by your on-premise RSA Authentication Manager server. A Personal Identification Number (PIN) is often required. The tokencode is time-based and must be used before it expires. RSA SecurID Tokens are issued and revoked only through Authentication Manager.

This method can be used to access resources protected by the Cloud Authentication Service or by authentication agents in RSA Authentication Manager deployments.

The Cloud Authentication Service supports RSA SecurID Token for primary authentication only in SSO Agent and relying party (service provider) deployments.

 

RSA SecurID Authenticate Tokencode

Similar to RSA SecurID Tokens, RSA SecurID Authenticate Tokencode employs a one-time, randomly generated number called a tokencode. This tokencode is generated on a device where the RSA SecurID Authenticate app is installed. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. These tokencodes are valid for up to five minutes after they are generated and displayed on a user's device. The user is enrolled for this method automatically after device registration.

Protect Access to Authenticate Tokencode

You can require users to provide additional authentication to view the RSA SecurID Authenticate Tokencode. This setting takes effect 24 hours after it is enabled or after the user restarts the app. The user must tap or click View Tokencode on the app home screen and authenticate before viewing the tokencode.

The first time the user taps or clicks View Tokencode, the app prompts the user to create a PIN that is only used for viewing the Authenticate Tokencode. The PIN must be numeric, contain 4-10 digits, and cannot contain repeating or consecutive numbers, for example, 1111 or 1234. You can configure the minimum PIN length. For instructions, see Configure Session and Authentication Method Settings.

The PIN applies to the RSA SecurID Authenticate Tokencodes for all companies in the app. If users have multiple companies in the app, their minimum PIN length is the longest minimum PIN length of their companies.

On iOS and Android, if the user has set up biometrics, the app prompts the user to authenticate with a biometric (for example, fingerprint or Face ID) instead of using a PIN. The user can also choose to skip or cancel biometrics and enter the PIN. If the user fails biometrics or has not set up biometrics, then the app prompts the user to enter the PIN.

On Windows, the app prompts the user to authenticate with the PIN.

If the user enters an incorrect PIN five times, the PIN is locked and the user must reset the PIN. To reset the PIN, users must do the following:

  • On iOS or Android, the app prompts the user for device unlock credentials, such as a passcode. The user must set up device unlock credentials to reset the PIN.

  • On Windows, the app prompts the user to delete all companies that require authentication to view the tokencode and then re-register those companies.

The user can authenticate to view the tokencode with an online or offline device. However, if the user needs to reset the PIN on a Windows device, the user must be online. The user can reset the PIN online or offline on iOS or Android devices.

Integrated Deployments

If your company has deployed both RSA SecurID Access and RSA Authentication Manager 8.2 or later, you can integrate the two products so that users can authenticate with RSA SecurID Tokens and RSA SecurID Authenticate Tokencodes on the same RSA Authentication Agent.

Emergency Tokencode

Emergency Tokencode is for users who forget or misplace their registered authenticators. The same tokencode is generated for both online and offline use.

Super Admins - See how to configure Emergency Tokencode:

Help Desk Administrators - See how to provide users with an Emergency Tokencode:

For detailed information, see:

Emergency Tokencode for Online Access

                                
 Description
When to Use Emergency Tokencode for Online Access If the user is able to sign in to the company network without the registered authenticator, you can give the user an Emergency Tokencode to access resources protected by the Cloud Authentication Service.
Configuration Prerequisites

For primary authentication, Emergency Tokencode can be used as a replacement for the FIDO authentication method in relying parties. You select a box to allow this replacement when configuring primary authentication for the relying party. See Add a Service Provider.

Similar to other RSA SecurID Access additional authentication methods, Emergency Tokencode must be configured and published in your assurance levels and access policies before it can be used for online additional authentication.

Note:  RSA recommends that you avoid adding Emergency Tokencode to the High assurance level. Doing so will make Emergency Tokencode available to your most sensitive applications.

User Experience for Online Access
  1. The user calls the Help Desk.

  2. The Help Desk Administrator finds the user on the Users > Management page in Cloud Administration Console and generates an Emergency Tokencode.

    If offline Emergency Tokencode is enabled for your company, the same tokencode is generated for online and offline access.

  3. The Help Desk Administrator securely delivers the tokencode to the user immediately and instructs the user to select Emergency Tokencode from the list of available options during the next authentication.

  4. The next time the user is online and attempts to access the protected resource, the user selects Emergency Tokencode and then enters the tokencode.

    If a user types the tokencode incorrectly, the number of allowed retries is configured in the Cloud Administration Console on the My Account > Company Settings > Session & Authentication page.

Lifetime for Online Access

After a user selects Emergency Tokencode one time during authentication, Emergency Tokencode becomes the user's default method until one of the following events occurs:

  • The tokencode expires. Expiration is configured (1-7 days) on the Users > Management page. For instructions, see Enable Emergency Tokencode for a User.

  • An administrator disables the tokencode on the Users > Management page.

  • The user selects a different option during authentication, and that option becomes the new default.

Generate or disable Emergency Tokencode for a user

See Manage Users for the Cloud Authentication Service .

 

Emergency Tokencode for Offline Access

                                
 Description
When to Use Emergency Tokencode for Offline Access  A user can use Emergency Tokencode to sign into a computer that is protected by the RSA MFA Agent for Microsoft Windows, even if the computer has no internet connection. If the computer has an internet connection, the same tokencode can be used to access resources protected by the Cloud Authentication Service.
Configuration Prerequisites  

Your deployment must meet these configuration requirements:

User Experience for Offline Access
  1. The user calls the Help Desk.

  2. The Help Desk Administrator finds the user on the Users > Management page in Cloud Administration Console and generates an Emergency Tokencode.

    The same tokencode is generated for online and offline access.

  3. The Help Desk Administrator securely delivers the tokencode to the user immediately.

  4. The next time the user attempts to sign in to his or her Windows computer, the MFA Agent prompts the user to sign in and enter the Emergency Tokencode.

Lifetime for Offline Access

The Emergency Tokencode is created and downloaded to the user’s computer the first time the user successfully authenticates online through the MFA Agent to the Cloud Authentication Service. The tokencode becomes invalid after one of the following events occur:

  • The configured lifetime (1-30 days) has elapsed. You configure this setting on the My Account > Company Settings > Session & Authentication page. For instructions, see Configure Session and Authentication Method Settings.

  • The user has successfully authenticated, through the MFA Agent, using a method other than Emergency Tokencode, to the Cloud Authentication Service. A new tokencode is downloaded to replace the old one, beginning a new lifetime cycle.

The online expiration date may elapse before the offline expiration date. If this occurs and the user still needs online emergency access, you can regenerate the tokencode and give it a new online expiration date. The offline expiration date remains valid and unchanged from the first time it is generated until it expires or until the user successfully authenticates with a different method. Also, the Emergency Tokencode itself remains exactly the same if you click Generate Code, even multiple times, before the offline expiration date is reached.

Generate or disable Emergency Tokencode for a user

See Manage Users for the Cloud Authentication Service .

Approve (Push Notifications)

When using Approve to access a cloud-protected resource, the user attempts to access the application and then receives a push notification prompting to tap a button on a registered device. When using Approve to access an agent-protected resource, the user enters a PIN before tapping a button on an Authenticate device. In both cases, the user can also tap an interactive notification on the device or on an Apple Watch or Android Wear watch paired to the device. The user must respond within one minute, otherwise the method times out and is considered a failed authentication. The user is enrolled for this method automatically after Authenticate device registration.

This method can be used to access resources protected by the Cloud Authentication Service or by authentication agents in RSA Authentication Manager deployments.

 

Device Biometrics

Device Biometrics allows users to authenticate to applications using biometrics available on devices, such as, Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. Before using Device Biometrics, users must first set up biometrics on their devices. RSA SecurID Access does not force users to do this.

To use Device Biometrics on Windows 10 PCs, Windows Hello must be enabled. Also, keep in mind that users can sign in using a Hello PIN.

When using Device Biometrics to access an agent-protected resource, the user must first enter a PIN before entering the biometric credential.

 

SMS Tokencode

SMS Tokencode is a six-digit code that RSA SecurID Access sends to the user's phone in an SMS message when the user attempts to access an application. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires three minutes after it is sent to the user. If it expires or the user does not receive it, the user can click Resend Tokencode. This method does not require device registration using the RSA SecurID Authenticate app.

When planning your available authentication methods, consider making SMS Tokencode available for emergency access when the user cannot use other methods, for example, when the user loses the RSA SecurID Token or cannot locate the device used to register the RSA SecurID Authenticate app.

Users can use SMS Tokencode if these criteria are met:

  • RSA has enabled this feature for your company.

  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).

  • A valid mobile phone number is stored for the user in the Cloud Authentication Service. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

For details on how SMS phone numbers are handled during identity source synchronization, see Identity Sources for the Cloud Authentication Service.

Note:  RSA SecurID Access Federal does not support authentication with SMS Tokencode.

Voice Tokencode

Voice Tokencode is a six-digit code that RSA SecurID Access provides by calling the user's phone when the user attempts to access an application. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires three minutes after it is sent to the user. If it expires or the user does not receive it, the user can click Resend Tokencode. This method does not require a mobile device.

When planning your available authentication methods, consider making Voice Tokencode available for emergency access when the user cannot use other methods, for example, for users who do not have mobile phones or when the user loses the RSA SecurID Token.

Users can use Voice Tokencode if these criteria are met:

  • RSA has enabled this feature for your company.

  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).

  • A valid phone number (landline or mobile) is stored for the user in the Cloud Authentication Service. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

For details on how Voice Tokencode phone numbers are handled during identity source synchronization, see Identity Sources for the Cloud Authentication Service.

Note:  RSA SecurID Access Federal does not support authentication with Voice Tokencode.

LDAP Directory Password

The LDAP directory password is used for primary authentication and to register devices. LDAP directory passwords are managed within the LDAP directory server. User records are synchronized from the LDAP directory server to identity sources in RSA SecurID Access. The Cloud Authentication Service must be able to reach your on-premise identity source for authentication to succeed.

 

 

 

 

 

Previous Topic:Deep Linking
You are here
Table of Contents > Authentication Methods and Emergency Access > Authentication Methods for Cloud Authentication Service Users

Attachments

    Outcomes