How RSA Authentication Manager Protects Your Resources

Document created by RSA Information Design and Development Employee on Jun 13, 2017Last modified by RSA Information Design and Development Employee on Jan 19, 2021
Version 18Show Document
  • View in full screen mode

RSA Authentication Manager is a multi-factor authentication solution that verifies authentication requests and centrally administers authentication policies for enterprise networks. Use Authentication Manager to manage security tokens, users, multiple applications, agents, and resources across physical sites and in the Cloud, and to help secure access to network, Cloud, and web-accessible applications, such as SSL-VPNs and web portals.

Passwords are a weak form of authentication because access is protected only by a single factor — a secret word or phrase selected by the user. If this password is discovered by the wrong person, the security of the entire system is compromised. Multifactor authentication provides stronger protection by requiring two or more unique factors to verify a user’s identity. Authentication factors in a multifactor system may include:

  • Something the user knows (a password, passphrase, or PIN)
  • Something the user has (a hardware token, laptop computer, or mobile phone)
  • Something the user does (specific actions or a pattern of behavior)

The RSA SecurID Access Base Edition, Enterprise Edition, and Premium Edition include both Authentication Manager and the Cloud Authentication Service. The Cloud Authentication Service supports multiple forms of authentication, such as mobile-optimized push notification (Approve) and Device Biometrics.

Integrating Authentication Manager and the Cloud Authentication Service

Integrating Authentication Manager with the Cloud Authentication Service offers opportunities to expand the resources you protect and the authentication methods you make available to users.

To deploy the Cloud Authentication Service, contact your RSA Sales representative.

Multifactor Authentication

You can connect RSA Authentication Manager and the Cloud Authentication Service. After installing the RSA SecurID Authenticate app on a supported device, users can authenticate with Approve, Device Biometrics, or Authenticate Tokencode.

You do not need to replace or update your existing agents or RSA Ready products that use the UDP or TCP protocol. If you have deployed REST protocol authentication agents, your users will be able to authenticate to the Cloud with any form of multifactor authentication that is supported by the Cloud Authentication Service, including biometric methods such as fingerprint verification, RSA SecurID Token, and context-based authentication using factors such as the user's location and network.

RSA Authentication Manager 8.5 provides high availability by allowing Authenticate Tokencode authentication to continue when the connection between Authentication Manager and the Cloud Authentication Service is not available. For more information, see High Availability Tokencodes.

If you deploy RSA Authentication Manager 8.5 with REST protocol authentication agents, you can configure RSA Authentication Manager as a proxy server that sends authentication requests to the Cloud Authentication Service. This creates one secure connection to the Cloud Authentication Service that supports all authentication methods supported by REST protocol authentication agents, whether verified by Authentication Manager or the Cloud Authentication Service. For more information, see RSA Authentication Manager Secure Proxy Server for the Cloud Authentication Service.

In order to use version 8.5 features, an Authentication Manager deployment that is already connected to the Cloud Authentication Service must connect again after upgrading to version 8.5.

You can connect in two ways:

RSA SecurID Tokens

Users with RSA SecurID tokens can access SaaS and on-premises web applications and RADIUS clients protected by the Cloud Authentication Service. For more information, see Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service on RSA Link.


If you have an RSA Authentication Manager RADIUS deployment, expand the authentication methods available to users by moving to RADIUS for the Cloud Authentication Service. This path involves configuring a RADIUS client in the Cloud Authentication Service to protect the resources that are currently protected by RADIUS in Authentication Manager. For instructions, see RADIUS for the Cloud Authentication Service Overview on RSA Link.

Additional Choices for Strong Authentication

In addition, Authentication Manager provides the following choices for strong authentication:

  • RSA SecurID tokens. Hardware and software tokens provide tokencodes that enable users to authenticate and access resources protected by Authentication Manager and the Cloud Authentication Service.

    A tokencode is a pseudorandom number, usually six digits in length. Tokencodes are time-based, changing at regular intervals. To gain access to protected resources, a user enters a personal identification number (SecurID PIN) + the number displayed on the token (tokencode). The combination of the SecurID PIN and the tokencode is called a passcode.

    The user is granted access only if Authentication Manager validates the passcode. Otherwise, the user is denied access. Authentication Manager also supports PINless SecurID authentication.

  • Risk-based authentication (RBA). Strengthens RSA SecurID authentication and traditional password-based authentication by discreetly analyzing user behavior and the device from which a user authenticates to identify potentially risky or fraudulent authentication attempts. When RBA is used to protect a network resource, the system determines the assurance level of each authentication attempt based on the user’s profile, authentication device, and authentication history.
  • On-demand authentication (ODA). When a user enters a valid PIN to log on to the RSA Authentication Agent on a protected resource, the system delivers a one-time tokencode by way of e-mail or Short Message Service (SMS). This tokencode, combined with a PIN known only by the user, enables strong two-factor authentication without the need for a physical token or dedicated authentication device. You can use ODA as a standalone authentication method or as an identity confirmation method for RBA.

Authentication Manager is scalable and can authenticate up to one million users. It is interoperable with a wide variety of applications. For a list of supported applications, go to




Copyright 2021 RSA Security LLC or its affiliates. All rights reserved. RSA Conference logo, RSA, and other trademarks are trademarks of RSA Security LLC or its affiliates. For a list of RSA trademarks, Other trademarks are trademarks of their respective owners.




You are here
Table of Contents > Getting Started > How RSA Authentication Manager Protects Your Resources