How RSA Authentication Manager Protects Your Resources

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Apr 30, 2019
Version 12Show Document
  • View in full screen mode

RSA Authentication Manager is a multi-factor authentication solution that verifies authentication requests and centrally administers authentication policies for enterprise networks. Use Authentication Manager to manage security tokens, users, multiple applications, agents, and resources across physical sites and in the Cloud, and to help secure access to network, Cloud, and web-accessible applications, such as SSL-VPNs and web portals.

Passwords are a weak form of authentication because access is protected only by a single factor — a secret word or phrase selected by the user. If this password is discovered by the wrong person, the security of the entire system is compromised. Multifactor authentication provides stronger protection by requiring two or more unique factors to verify a user’s identity. Authentication factors in a multifactor system may include:

  • Something the user knows (a password, passphrase, or PIN)
  • Something the user has (a hardware token, laptop computer, or mobile phone)
  • Something the user does (specific actions or a pattern of behavior)

The RSA SecurID Access Base Edition, Enterprise Edition, and Premium Edition include both Authentication Manager and the Cloud Authentication Service. The Cloud Authentication Service supports multiple forms of authentication, such as mobile-optimized push notification (Approve), device biometrics, and standards-based FIDO tokens.

Integrating Authentication Manager and the Cloud Authentication Service

Integrating Authentication Manager with the Cloud Authentication Service offers opportunities to expand the resources you protect and the authentication methods you make available to users.

If you want users to access these resourcesUse these authentication methodsSee instructions
SaaS and on-premises web applications and RADIUS clients protected by the Cloud Authentication ServiceRSA SecurID tokensEnable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service on RSA Link
Agent-protected resourcesAuthenticate Tokencode *Enable Cloud Authentication Service Users to access Resources Protected by RSA SecurID on RSA Link

* Users install the RSA SecurID Authenticate app on a supported device to use Approve or generate tokencodes.

If you have an RSA Authentication Manager RADIUS deployment, expand the authentication methods available to users by moving to RADIUS for the Cloud Authentication Service. This path involves configuring a RADIUS client in the Cloud Authentication Service to protect the resources that are currently protected by RADIUS in Authentication Manager. For instructions, see RADIUS for the Cloud Authentication Service Overview on RSA Link.

To deploy the Cloud Authentication Service, contact your RSA Sales representative.

Additional Choices for Strong Authentication

In addition, Authentication Manager provides the following choices for strong authentication:

  • RSA SecurID tokens. Hardware and software tokens provide tokencodes that enable users to authenticate and access resources protected by Authentication Manager and the Cloud Authentication Service.

    A tokencode is a pseudorandom number, usually six digits in length. Tokencodes are time-based, changing at regular intervals. To gain access to protected resources, a user enters a personal identification number (SecurID PIN) + the number displayed on the token (tokencode). The combination of the SecurID PIN and the tokencode is called a passcode.

    The user is granted access only if Authentication Manager validates the passcode. Otherwise, the user is denied access. Authentication Manager also supports pinless SecurID authentication, in which case a SecurID PIN is not required.

  • Risk-based authentication (RBA). Strengthens RSA SecurID authentication and traditional password-based authentication by discreetly analyzing user behavior and the device from which a user authenticates to identify potentially risky or fraudulent authentication attempts. When RBA is used to protect a network resource, the system determines the assurance level of each authentication attempt based on the user’s profile, authentication device, and authentication history.
  • On-demand authentication (ODA). Delivers a one-time tokencode to a user by way of e-mail or Short Message Service (SMS). This tokencode, combined with a PIN known only by the user, enables strong two-factor authentication without the need for a physical token or dedicated authentication device. You can use ODA as a standalone authentication method or as an identity confirmation method for RBA.

Authentication Manager is scalable and can authenticate up to one million users. It is interoperable with a wide variety of applications. For a list of supported applications, go to




Copyright © 1994 - 2019 Dell Inc. or its subsidiaries. All Rights Reserved.