Use this task to configure the following settings that affect your entire Cloud Authentication Service deployment:
- Session duration and timeout settings for the Cloud Administration Console and the application portal
- Additional authentication requirements for the Cloud Administration Console
- Password lockout settings
- Settings for the RSA SecurID Authenticate Tokencode, SMS Tokencode, and Voice Tokencode authentication methods
Note: Values in minutes must be a number between 1 and 99,999. For seconds, the number must be between 1 and 300.
Before you begin
- You must be a Super Admin for the Cloud Administration Console.
- You can require administrators to provide additional authentication to access the console. For preliminary steps, see Configure Authentication for the Cloud Administration Console.
- In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.
- Configure Cloud Administration Console Sessions.
- In the Session Duration (minutes) field, enter the maximum number of minutes an administrator can stay signed into the Cloud Administration Console before being prompted to sign in again. The default is 720 minutes.
- In the Inactivity Timeout (minutes) field, enter the maximum number of minutes that the sign-in session can remain idle before the system ends the session. The default is 20 minutes.
- Configure additional authentication for the Cloud Administration Console. This setting requires administrators to provide authentication in addition to the usual password to access the console.
- In the Additional Authentication field, click Enable.
- In the Access Policy for Additional Authentication field, select a policy to enforce authentication requirements for the console.
- Configure User Sessions.
- In the Session Duration (minutes) field, enter the maximum number of minutes a user can stay signed into the application portal before being prompted to sign in again. The default is 720 minutes. Set the session duration lower than the shortest session duration that is specified externally in an application that users can access in the application portal.
- In the Inactivity Timeout (minutes) field, enter the maximum number of minutes that the sign-in session can remain idle before the system ends the session. The default is 20 minutes. When a session timeout occurs, the browser returns to the sign-in page.
- In the Sign-in Timeout (seconds) field, enter the maximum wait time for system authentication after the user enters sign-in credentials before a timeout occurs. The default is five seconds. This setting is useful if you have many remote users signing into the same access point. For example, if user sessions are timing out while waiting for authentication, you can increase this setting.
- To limit the number of concurrent user sessions, select Limit Concurrent Sessions to and enter the number of sessions allowed. The number must be between 1 and 99. If this setting is blank, no limit is enforced.
- To require users to sign in again if the system detects that the IP address has changed within the same sign-in session, select Validate Session IP Address. This option can help to prevent unauthorized use of a sign-in session. If this setting is blank, a user can change IP addresses within the same session without being prompted to sign in again. This can be useful, for example, to accommodate users moving from workplace to home and changing IP addresses as a result.
- In the Session Duration (minutes) field, enter the maximum number of minutes a user can stay signed into the application portal before being prompted to sign in again. The default is 720 minutes.
- Configure password lockout settings.
Select Enable Password Lockout to lock the password authentication method in the Cloud Authentication Service after the specified number of unsuccessful attempts for a user.
These settings affect password authentication attempts for the SAML IdP and RADIUS for the Cloud Authentication Service and the RSA SecurID Authenticate app. These settings do not affect password attempts for the RSA SecurID Access standard or custom application portals.
For more information on password lockout, see Password Lockout Examples.
In the Failures Allowed Before Lockout field, specify the number of unsuccessful password attempts that a user is allowed before the Cloud Authentication Service locks the password method. The default is 4.
Consider setting this value to be at least one attempt less than the lockout value of the LDAP directory.
The number of attempts is cumulative across SAML IdP and RADIUS for the Cloud Authentication Service and the RSA SecurID Authenticate app. For example, if this value is 4 and a user enters an incorrect password two times in a service provider, one time in a VPN client, and one time during Authenticate device registration, then the Cloud Authentication Service locks the password method.
In the Lockout Duration (minutes) field, specify the length of the lockout in minutes. The default is 30.
Consider setting this value to the same value as the LDAP directory observation window, if applicable.
The lockout starts when the password authentication method is locked and expires after 30 minutes. After the specified duration, the Cloud Authentication Service starts processing password attempts from the user again.
- Configure tokencode settings.
- Select Require additional authentication to view the tokencode on the Authenticate app to require users to provide additional authentication (for example, their fingerprint, Face ID, or a PIN) to view the tokencode on the RSA SecurID Authenticate app.
If you enable or disable this setting before users complete device registration, this setting is automatically applied when users complete registration. If you enable or disable this setting after users have completed device registration, users must restart the RSA SecurID Authenticate or wait 24 hours for this setting to take effect.
In the Retries Allowed Per Tokencode Method field, you can specify the number of times users can retry each tokencode method after the first unsuccessful authentication. After this many retries, the tokencode is locked. Each method is counted and locked separately. The default is 3.
For example, if you use the default, the Authenticate Tokencode is locked after four unsuccessful Authenticate Tokencode attempts, the SMS Tokencode is locked after four unsuccessful SMS Tokencode attempts, and the Voice Tokencode is locked after four unsuccessful Voice Tokencode attempts. Resending the SMS or Voice Tokencode counts as a retry.
Using an expired or invalid tokencode counts as a retry. The SMS Tokencode and Voice Tokencode expire three minutes after they are sent to the user. The Authenticate Tokencodes are valid for up to five minutes after they are generated and displayed on a user's device.
The lockout counter is cleared after a user successfully authenticates. Once locked, a user cannot send or resend the tokencode until an administrator unlocks it. The user sees a message indicating that authentication was unsuccessful, but the message does not indicate that the method is locked.