Device Registration

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Nov 22, 2019
Version 45Show Document
  • View in full screen mode
  

Users complete device registration so that they can use the RSA SecurID Authenticate app (registered on a phone, tablet, or desktop or PC) or FIDO Token to authenticate to protected applications.

 

Device registration binds the device to the user. After device registration, when the user needs to authenticate to an application, RSA SecurID Access prompts the user for methods that the user can complete, for example, Approve, RSA SecurID Authenticate Tokencode, or Device Biometrics. Users who do not register a device using the RSA SecurID Authenticate app are not presented with authentication methods that require the app.

SMS Tokencode, Voice Tokencode, and RSA SecurID token do not require this type of registration.

A user can register a single device with the RSA SecurID Authenticate app installed.

For more information, see:

 

Device Registration for iOS, Android, and Windows Devices

Users can register an iOS, Android, or Windows device using one of the following methods.

                       
Registration MethodDescription
Use RSA SecurID Access My Page.

My Page is web portal that helps provide a secure way for users to register iOS, Android, or Windows devices using multifactor authentication and QR or numeric registration codes. Users sign into My Page on one device (for example, a computer), download the RSA SecurID Authenticate app on another device (iOS or Android), scan a QR code, and complete an optional test authentication. Users can also manually enter a numeric Registration Code if they are unable to scan a QR code.

By default, My Page is disabled. When you enable it, you can also select an access policy that determines which users are allowed to use My Page and which authentication requirements they must satisfy to access the page. For more information, see Manage My Page

User enters an LDAP password as the Registration Code into the RSA SecurID Authenticate app.

The user downloads the RSA SecurID Authenticate app on a device (iOS, Android, or Windows 10) and enters the identity source email address, your Company ID, and the identity source password (as the Registration Code) in the app.

You can use the Device Registration Using Password policy to restrict which users are allowed to complete device registration using this method. For more information, see Device Registration Using Password Policy.

User enters a Registration Code generated by the administrator.You use the Cloud Administration Console to generate a numeric Registration Code and then securely provide it to the user. The user downloads the RSA SecurID Authenticate app on a device (iOS, Android, or Windows 10) and enters the user identity source email address, your Company ID, and the Registration Code in the app. For more information, see Manage Users for the Cloud Authentication Service - Generate a Device Registration Code.

For a complete overview of the steps users perform to complete device registration, see RSA SecurID Authenticate Device Registration Visual Overview. For rollout information, see Cloud Authentication Service Rollout to Users.

 

Device Registration and User or Device Changes for iOS, Android, and Windows Devices

The following table summarizes how RSA SecurID Access handles device registration with user or device changes for iOS, Android, and Windows devices.

                      
Situation How RSA SecurID Access Handles It
A user completes device registration, deletes or uninstalls the RSA SecurID Authenticate app, and then later needs to complete device registration again on the same device. The user installs the RSA SecurID Authenticate app again and re-registers the device without administrative action.
 
  • A user completes device registration on one device and then gets a new device. The user needs to complete device registration on the new device.

  • A user performs a factory reset on a registered device and wants to reinstall the app on the same device.

The user can delete the current device in My Page , and then complete device registration. Or the administrator must delete the user's current device before the user can complete device registration again.

 
  • An existing user who has completed device registration on the device no longer needs the device and gives the device to a new user.

  • An existing user who has completed device registration on the device no longer needs the device, performs a factory reset, and gives the device to a new user.

 
  1. If necessary, the existing user deletes the device in My Page or deletes the company in the app.

  2. The new user installs the app and completes device registration without administrative action.

 

Device Registration with Multiple Accounts for iOS, Android, and Windows Devices

An individual user can use the RSA SecurID Authenticate app on a single registered device to authenticate to resources protected by up to 10 different accounts.

For example, a user who is a contractor for both Company A and Company B can use a single device to perform step-up authentication to access both companies. The user registers the device for one company and uses the My Accounts screen to add additional accounts as needed.

An administrator might use a single device for testing the behavior of the RSA SecurID Authenticate app for a company's testing environment and production environment. If each environment has a unique company ID, the administrator adds an account for each company. Or if each environment uses the same company ID but has a unique user ID, the administrator adds an account for each user ID.

If an administrator for one account uses the Cloud Administration Console to delete a user's registered device, the RSA SecurID Authenticate app on the user's device continues to work normally for any other account. The activity from one account does not affect the app behavior for other accounts.

Device Registration for FIDO Tokens

For FIDO Tokens, registration happens in one of two ways:

  • The first-time user clicks an icon for a protected application, enters an identity source password, inserts the FIDO Token, and, if required, taps the token. Subsequent authentications do not require a password. This is the default registration method.

  • The user goes to My Page to register the FIDO Token. Users authenticate to My Page according to the access policy protecting My Page. You can make My Page registration a requirement by enabling both My Page and FIDO Token registration in the Cloud Administration Console at Platform > My Page. After both functions are enabled, users can no longer register FIDO Tokens during first-time authentication.

During registration, the user enters an identity source password, inserts the FIDO Token, and, if required, taps the token. Subsequent authentications do not require a password. For a list of supported browsers for the FIDO Token, see Cloud Authentication Service User Requirements.

Device Registration and User or Device Changes for FIDO Tokens

The following table summarizes how RSA SecurID Access handles device registration with user or device changes for FIDO Tokens.

                   
SituationHow RSA SecurID Access Handles It
A user registers a FIDO Token and then loses the token.The administrator deletes the user's lost token from the Cloud Authentication Service, or the user deletes it using My Page. The administrator gives the user a new token to register.
A user registers a FIDO Token, no longer needs it, and gives it to another user.The administrator deletes the user's token or the user deletes it using My Page. The new user must re-register the token.

 

 

We want your feedback! Tell us what you think of this page.

You are here
Table of Contents > Users and Devices > Device Registration

Attachments

    Outcomes