Use this task to configure the following settings that affect your entire Cloud Authentication Service deployment:
Session duration and timeout settings for the Cloud Administration Console and the application portal
Additional authentication requirements for the Cloud Administration Console
Password lockout settings
Settings for the RSA SecurID Authenticate Tokencode, Emergency Tokencode, SMS Tokencode, and Voice Tokencode authentication methods
Require users to unlock their devices for the Approve authentication method
Note: Values in minutes must be a number between 1 and 99,999. For seconds, the number must be between 1 and 300.
Before you begin
You must be a Super Admin for the Cloud Administration Console.
You can require administrators to provide additional authentication to access the console. For preliminary steps, see Protect the Cloud Administration Console with Additional (Step-Up) Authentication.
- In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.
- Configure Cloud Administration Console Sessions.
In the Session Duration (minutes) field, enter the maximum number of minutes an administrator can stay signed into the Cloud Administration Console before being prompted to sign in again. The default is 720 minutes.
In the Inactivity Timeout (minutes) field, enter the maximum number of minutes that the sign-in session can remain idle before the system ends the session. The default is 20 minutes.
- Configure additional authentication for the Cloud Administration Console. This setting requires administrators to provide authentication in addition to the usual password to access the console.
In the Additional Authentication field, click Enable.
In the Access Policy for Additional Authentication field, select a policy to enforce authentication requirements for the console.
- Configure User Sessions.
- In the Session Duration (minutes) field, enter the maximum number of minutes a user can stay signed into the application portal before being prompted to sign in again. The default is 720 minutes. Set the session duration lower than the shortest session duration that is specified externally in an application that users can access in the application portal.
- In the Inactivity Timeout (minutes) field, enter the maximum number of minutes that the sign-in session can remain idle before the system ends the session. The default is 20 minutes. When a session timeout occurs, the browser returns to the sign-in page.
- In the Sign-in Timeout (seconds) field, enter the maximum wait time for system authentication after the user enters sign-in credentials before a timeout occurs. The default is five seconds. This setting is useful if you have many remote users signing into the same access point. For example, if user sessions are timing out while waiting for authentication, you can increase this setting.
- To limit the number of concurrent user sessions, select Limit Concurrent Sessions to and enter the number of sessions allowed. The number must be between 1 and 99. If this setting is blank, no limit is enforced.
- To require users to sign in again if the system detects that the IP address has changed within the same sign-in session, select Validate Session IP Address. This option can help to prevent unauthorized use of a sign-in session. If this setting is blank, a user can change IP addresses within the same session without being prompted to sign in again. This can be useful, for example, to accommodate users moving from workplace to home and changing IP addresses as a result.
- In the Session Duration (minutes) field, enter the maximum number of minutes a user can stay signed into the application portal before being prompted to sign in again. The default is 720 minutes.
- Configure password lockout settings.
Select Enable Password Lockout to lock the password authentication method in the Cloud Authentication Service after the specified number of unsuccessful attempts for a user.
These settings affect password authentication attempts for the SAML IdP and RADIUS for the Cloud Authentication Service and the RSA SecurID Authenticate app. These settings do not affect password attempts for the RSA SecurID Access standard or custom application portals.
For more information on password lockout, see Password Lockout Examples.
In the Failures Allowed Before Lockout field, specify the number of unsuccessful password attempts that a user is allowed before the Cloud Authentication Service locks the password method. The default is 4.
Consider setting this value to be at least one attempt less than the lockout value of the LDAP directory.
The number of attempts is cumulative across SAML IdP and RADIUS for the Cloud Authentication Service and the RSA SecurID Authenticate app. For example, if this value is 4 and a user enters an incorrect password two times in a service provider, one time in a VPN client, and one time during registration with the Authenticate app, then the Cloud Authentication Service locks the password method.
In the Lockout Duration (minutes) field, specify the length of the lockout in minutes. The default is 30.
Consider setting this value to the same value as the LDAP directory observation window, if applicable.
The lockout starts when the password authentication method is locked and expires after 30 minutes. After the specified duration, the Cloud Authentication Service starts processing password attempts from the user again.
Configure RSA SecurID Authenticate, Emergency Tokencode, SMS, and Voice Tokencode settings.
In the Retries Allowed Per Tokencode Method field, you can specify the number of consecutive times users can retry each tokencode method after the first unsuccessful authentication. After this many consecutive retries, the tokencode is locked. Each method is counted and locked separately. The default is 3.
For example, if you use the default, the Authenticate Tokencode is locked after four unsuccessful Authenticate Tokencode attempts, the SMS Tokencode is locked after four unsuccessful SMS Tokencode attempts, Voice Tokencode is locked after four unsuccessful Voice Tokencode attempts, and Emergency Tokencode is locked after four unsuccessful Emergency Tokencode attempts.
The following attempts count as retries:
Resending the SMS or Voice Tokencode.
Using an expired or invalid tokencode.
The following table shows when each tokencode expires.
Authentication Method Expiration Time SMS Tokencode, Voice Tokencode Three minutes after they are sent to the user. Authenticate Tokencode Five minutes after it is generated and displayed on a user's device.
After the number of days configured on the Users > Management page.
After a tokencode is locked, a message informs the user that authentication was unsuccessful, but the message does not indicate the lockout status. Users cannot use the SMS, Voice, and Authenticate tokencodes until you unlock them on the User Management page.
After the Emergency Tokencode is locked, it cannot be manually unlocked or used for authentication. You must generate a new Emergency Tokencode to give the user emergency access.
Select PIN or Device Biometrics to view the Authenticate Tokencode to require users to provide additional authentication (for example, their fingerprint, Face ID, or a PIN) to view the RSA SecurID Authenticate Tokencode. On iOS or Android devices, users can choose either Device Biometrics or PIN. On Windows devices, users must use PIN.
If you enable or disable this setting before users complete registration with the RSA SecurID Authenticate app, this setting is automatically applied when users complete registration. If you enable or disable this setting after users have completed registration, users must restart the RSA SecurID Authenticate app or wait 24 hours for this setting to take effect.
If you selected the PIN or Device Biometrics box, specify the minimum PIN length.
For users who have not yet completed registration, this minimum length is applied during registration. For users who have already complete registration, the RSA SecurID Authenticate app prompts users to change their PINs the next time that they try to use their PINs. The Authenticate app does not prompt users to change their PINs if their PINs already meet this new minimum length or if they only use biometrics to view the tokencode.
Select Require users to unlock device to Approve if you want users to unlock their devices as part of the Approve method.
When this setting is enabled, users receive a notification on their registered devices, tap Approve in the notification, and are prompted to unlock their devices before authentication is completed. To use this setting, users must update the RSA SecurID Authenticate app to one of the following app versions or later: Android: 1.6.0, iOS: 1.6.0, or Windows 2.0.1.
After users update the app, the first time that they try to use Approve, they must open the app, pull down to get the notification, and Approve from within the app. On all subsequent Approve requests, iOS and Android users can Approve within the push notification and then unlock their devices. Older app versions do not display a push notification and users must always open the app and pull down to respond to an Approve request.
This setting does not impact Windows users, but they must update to version 2.0.1 or later and follow the first time instructions to receive push notifications for Approve. The Windows operating system determines how users interact with push notifications.
- Click Save Settings.
(Optional) Click Publish Changes to activate the settings immediately.