RSA Authentication Manager is a multi-factor authentication solution that verifies authentication requests and centrally administers authentication policies for enterprise networks. Use Authentication Manager to manage security tokens, users, multiple applications, agents, and resources across physical sites and in the Cloud, and to help secure access to network, Cloud, and web-accessible applications, such as SSL-VPNs and web portals.
Passwords are a weak form of authentication because access is protected only by a single factor — a secret word or phrase selected by the user. If this password is discovered by the wrong person, the security of the entire system is compromised. Multifactor authentication provides stronger protection by requiring two or more unique factors to verify a user’s identity. Authentication factors in a multifactor system may include:
- Something the user knows (a password, passphrase, or PIN)
- Something the user has (a hardware token, laptop computer, or mobile phone)
- Something the user does (specific actions or a pattern of behavior)
The RSA SecurID Access Base Edition, Enterprise Edition, and Premium Edition include both Authentication Manager and the Cloud Authentication Service. The Cloud Authentication Service supports multiple forms of authentication, such as mobile-optimized push notification (Approve), device biometrics, and standards-based FIDO tokens.
Integrating Authentication Manager and the Cloud Authentication Service
Integrating Authentication Manager with the Cloud Authentication Service offers opportunities to expand the resources you protect and the authentication methods you make available to users:
- Multifactor Authentication. You can use a Security Console wizard to directly connect RSA Authentication Manager and the Cloud Authentication Service. After installing the RSA SecurID Authenticate app on a supported device, users can authenticate with a PIN and Approve, or Authenticate Tokencode without a PIN.
You do not need to replace or update your existing agents or RSA Ready products that use the UDP or TCP protocol. If you have deployed REST protocol authentication agents, your users will be able to authenticate to the Cloud with any form of multifactor authentication that is supported by the Cloud Authentication Service, including biometric methods such as fingerprint verification, hardware devices such as RSA SecurID Token and FIDO Token, and context-based authentication using factors such as the user's location and network. For instructions, see Connect RSA Authentication Manager to the Cloud Authentication Service on RSA Link.
- RSA SecurID Tokens. Users with RSA SecurID tokens can access SaaS and on-premises web applications and RADIUS clients protected by the Cloud Authentication Service. For more information, see Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service on RSA Link.
- RADIUS. If you have an RSA Authentication Manager RADIUS deployment, expand the authentication methods available to users by moving to RADIUS for the Cloud Authentication Service. This path involves configuring a RADIUS client in the Cloud Authentication Service to protect the resources that are currently protected by RADIUS in Authentication Manager. For instructions, see RADIUS for the Cloud Authentication Service Overview on RSA Link.
To deploy the Cloud Authentication Service, contact your RSA Sales representative.
Additional Choices for Strong Authentication
In addition, Authentication Manager provides the following choices for strong authentication:
- RSA SecurID tokens. Hardware and software tokens provide tokencodes that enable users to authenticate and access resources protected by Authentication Manager and the Cloud Authentication Service.
A tokencode is a pseudorandom number, usually six digits in length. Tokencodes are time-based, changing at regular intervals. To gain access to protected resources, a user enters a personal identification number (SecurID PIN) + the number displayed on the token (tokencode). The combination of the SecurID PIN and the tokencode is called a passcode.
The user is granted access only if Authentication Manager validates the passcode. Otherwise, the user is denied access. Authentication Manager also supports pinless SecurID authentication, in which case a SecurID PIN is not required.
- Risk-based authentication (RBA). Strengthens RSA SecurID authentication and traditional password-based authentication by discreetly analyzing user behavior and the device from which a user authenticates to identify potentially risky or fraudulent authentication attempts. When RBA is used to protect a network resource, the system determines the assurance level of each authentication attempt based on the user’s profile, authentication device, and authentication history.
- On-demand authentication (ODA). Delivers a one-time tokencode to a user by way of e-mail or Short Message Service (SMS). This tokencode, combined with a PIN known only by the user, enables strong two-factor authentication without the need for a physical token or dedicated authentication device. You can use ODA as a standalone authentication method or as an identity confirmation method for RBA.
- On-demand authentication (ODA). When a user enters a valid PIN to log on to the RSA Authentication Agent on a protected resource, the system delivers a one-time tokencode by way of e-mail or Short Message Service (SMS). This tokencode, combined with a PIN known only by the user, enables strong two-factor authentication without the need for a physical token or dedicated authentication device.
Copyright © 1994 - 2019 Dell Inc. or its subsidiaries. All Rights Reserved.