Supported Authentication Methods

Document created by RSA Information Design and Development on Jul 13, 2016Last modified by RSA Information Design and Development on Oct 8, 2019
Version 46Show Document
  • View in full screen mode
  

An authentication method is a credential that you provide or an action that you perform to prove your identity.

Supported Methods for Primary Authentication

For primary authentication, RSA SecurID Access supports the following methods, depending on which components your organization has deployed.

                   
DeploymentSupported Authentication Methods

Relying Parties- Service providers only

SSO Agent

LDAP Directory Password, RSA SecurID Token
RADIUS for Cloud Authentication ServiceLDAP Directory Password

 

Supported Methods for Additional Authentication

For additional authentication, after primary authentication has been satisfied, RSA SecurID Access supports the following methods in all deployments with the exception of FIDO Token. FIDO Token is only supported in relying party and SSO Agent deployments.

Be aware of the following:

  • RSA SecurID Token and Authenticate Tokencode can be used to access resources protected by authentication agents in RSA Authentication Manager deployments.

  • If your company deploys multiple components, make sure your assurance levels contain enough options to support each component. For example, a deployment might support SSO Agent, RADIUS, and relying parties. An assurance level might allow FIDO Tokens for users gaining access through the SSO Agent or relying parties, but it must provide additional options for users gaining access through RADIUS.

  • The Authenticate app uses notifications to simplify the authentication process. An app user can disable notifications but must perform an extra step to authenticate using certain authentication methods (such as Approve or Device Biometrics). After the user sees the Sending Sign-in Request screen in the browser or is sent a notification as part of a RADIUS flow, the user must open the app or pull down on the top of the app to manually retrieve the notification to continue the authentication process.

 

LDAP Directory Password

The LDAP directory password is used for primary authentication and to register devices. LDAP directory passwords are managed within the LDAP directory server. User records are synchronized from the LDAP directory server to identity sources in RSA SecurID Access. The Cloud Authentication Service must be able to reach your on-premise identity source for authentication to succeed.

 

RSA SecurID Token

The RSA SecurID Token method employs a one-time, randomly generated number called a tokencode. The tokencode is generated on a hardware or software token and is verified by your on-premise RSA Authentication Manager server. A Personal Identification Number (PIN) is often required. The tokencode is time-based and must be used before it expires. RSA SecurID Tokens are issued and revoked only through Authentication Manager.

 

RSA SecurID Authenticate Tokencode

Similar to RSA SecurID Tokens, RSA SecurID Authenticate Tokencode employs a one-time, randomly generated number called a tokencode. This tokencode is generated on a device where the RSA SecurID Authenticate app is installed. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. These tokencodes are valid for up to five minutes after they are generated and displayed on a user's device. The user is enrolled for this method automatically after device registration.

If your company has deployed both RSA SecurID Access and RSA Authentication Manager 8.2 or later, you can integrate the two products so that users can authenticate with RSA SecurID Tokens and RSA SecurID Authenticate Tokencodes on the same RSA Authentication Agent.

Additional Authentication to View Authenticate Tokencode

You can require users to provide additional authentication to view the RSA SecurID Authenticate Tokencode. This setting takes effect 24 hours after it is enabled or after the user restarts the app. The user must tap or click View Tokencode on the app home screen and authenticate before viewing the tokencode.

The first time the user taps or clicks View Tokencode, the app prompts the user to create a PIN. The Authenticate app prompts you to create a PIN that is only used for viewing the Authenticate Tokencode. The PIN must be numeric, contain 4-10 digits, and must not only contain repeating or consecutive numbers, for example, 1111 or 1234. You can specify the minimum PIN length. For more information, see Configure Session and Authentication Method Settings.

The PIN applies to the RSA SecurID Authenticate Tokencodes for all companies in the app. If users have multiple companies in the app, their minimum PIN length is the longest minimum PIN length of their companies.

On iOS and Android, if the user has set up biometrics, the app prompts the user to authenticate with a biometric (for example, fingerprint or Face ID). The user can also choose to skip or cancel biometrics and enter the PIN. If the user fails biometrics or has not set up biometrics, then the app prompts the user to enter the PIN.

On Windows, the app prompts the user to authenticate with the PIN.

If the user enters an incorrect PIN five times, the PIN is locked and the user must reset the PIN. To reset the PIN, users must do the following:

  • On iOS or Android, the app prompts the user for device unlock credentials, such as a passcode. The user must set up device unlock credentials to reset the PIN.

  • On Windows, the app prompts the user to delete all companies that require authentication to view the tokencode and then re-register those companies.

The user can authenticate to view the tokencode with an online or offline device. However, if the user needs to reset the PIN on a Windows device, the user must be online. The user can reset the PIN online or offline on iOS or Android devices.

 

FIDO Token

The FIDO Token is a hardware authenticator that the user inserts into a USB port. Registration happens in one of two ways:

  • The first-time user clicks an icon for a protected application, enters an identity source password, inserts the FIDO Token, and, if required, taps the token. Subsequent authentications do not require a password. This is the default registration method.

  • The user goes to My Page to register the FIDO Token. Users authenticate to My Page according to the access policy protecting My Page. You can make My Page registration a requirement by enabling both My Page and FIDO Token registration in the Cloud Administration Console at Platform > My Page. After both functions are enabled, users can no longer register FIDO Tokens during first-time authentication.

Note:  The FIDO Token might not work on browsers that run on a virtual machine.

RSA SecurID Access supports the FIDO 2 authentication standard. RSA SecurID Access only supports USB-based roaming authenticators (for example, a USB security key). For a list of system requirements for the FIDO Token, see Cloud Authentication Service User Requirements.

 

Approve

To use the Approve method, the user attempts to access the application and then is prompted to tap a button on an Authenticate device. The user can also tap an interactive notification on the device or on an Apple Watch or Android Wear watch paired to the device. The user must respond within one minute, otherwise the method times out and is considered a failed authentication. The user is enrolled for this method automatically after Authenticate device registration.

 

Device Biometrics

Device Biometrics allows users to authenticate to applications using biometrics available on devices, such as, Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. To use Device Biometrics, users must first set up biometrics on their devices. RSA SecurID Access does not force users to do this.

To use Device Biometrics on Windows 10 PCs, Windows Hello must be enabled. Also, keep in mind that users can sign in using a Hello PIN.

 

SMS Tokencode

SMS Tokencode is a six-digit code that RSA SecurID Access sends to the user's phone in an SMS message when the user attempts to access an application. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires three minutes after it is sent to the user. If it expires or the user does not receive it, the user can click Resend Tokencode. This method does not require device registration using the RSA SecurID Authenticate app.

When planning your available authentication methods, consider making SMS Tokencode available for emergency access when the user cannot use other methods, for example, when the user loses the RSA SecurID Token or cannot locate the device used to register the RSA SecurID Authenticate app.

Users can use SMS Tokencode if these criteria are met:

  • RSA has enabled this feature for your company.

  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).

  • A valid mobile phone number is stored for the user in the Cloud Authentication Service. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

For details on how SMS phone numbers are handled during identity source synchronization, see Identity Sources for the Cloud Authentication Service.

Voice Tokencode

Voice Tokencode is a six-digit code that RSA SecurID Access provides by calling the user's phone when the user attempts to access an application. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires three minutes after it is sent to the user. If it expires or the user does not receive it, the user can click Resend Tokencode. This method does not require a mobile device.

When planning your available authentication methods, consider making Voice Tokencode available for emergency access when the user cannot use other methods, for example, for users who do not have mobile phones or when the user loses the RSA SecurID Token.

Users can use Voice Tokencode if these criteria are met:

  • RSA has enabled this feature for your company.

  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).

  • A valid phone number (landline or mobile) is stored for the user in the Cloud Authentication Service. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

For details on how Voice Tokencode phone numbers are handled during identity source synchronization, see Identity Sources for the Cloud Authentication Service.

Emergency Tokencode

If a user forgets or misplaces a registered device, you can generate an Emergency Tokencode and provide it to the user. The next time the user attempts to access the protected resource, the user can select Emergency Tokencode from the list of available options. The tokencode is valid for the configured number of days (1-7).

Emergency Tokencode is displayed during authentication as an available option to the user only after you generate the tokencode for the user on the Users > Management page in the Cloud Administration Console. The tokencode is available to the user until it expires or you disable it. After a user selects Emergency Tokencode one time, it becomes the user's default method until one of the following occurs:

  • The tokencode expires.

  • An administrator disables the tokencode on the Users > Management page.

  • The user selects a different option which becomes the new default method.

Similar to other RSA SecurID Access authentication methods, Emergency Tokencode must be configured and published in your assurance levels and access policies before it can be used for authentication.

Note:  RSA recommends that you avoid adding Emergency Tokencode to the High assurance level. Doing so will make Emergency Tokencode available to your most sensitive applications.

If a user types the tokencode incorrectly, the number of allowed retries is configured in the Cloud Administration Console on the My Account > Company Settings > Session  & Authentication page.

For instructions on generating and disabling Emergency Tokencodes, see Manage Users for the Cloud Authentication Service.

 

 

 

 

We want your feedback! Tell us what you think of this page.

You are here
Table of Contents > Authentication Methods > Supported Authentication Methods

Attachments

    Outcomes