You can protect RSA SecurID Authenticate device registration with an access policy to control which users can complete device registration using a password as the registration code. The Registration Code field appears in the RSA SecurID Authenticate app during device registration and accepts either the numeric code that displays in My Page or an identity source password. You might use this policy to require users to complete device registration using My Page.
Note that the purpose of this policy changed with the September 2018 release. Before this release, this policy was used to restrict who could complete RSA SecurID Authenticate device registration. Starting with the September 2018 release and the introduction of My Page, this policy now restricts who can use an identity source password as the registration code. If you are already using this policy, review and update your target population, as necessary, based on your company requirements.
This access policy only applies to users who have not completed Authenticate device registration. If you do not want existing users to continue using the Authenticate app, delete their Authenticate devices in the Cloud Administration Console.
Configure Device Registration Using Password Policy
The Configure Device Registration Using Password access policy exists by default. You can enable and configure it, or disable it.
Unlike other access policies, you cannot clone or delete it or view access usage. When you disable the access policy, the current configurations are saved and are available when the access policy is enabled again.
In the Cloud Administration Console, click Access > Policies.
- In the Policies page, enable the Device Registration Using Password policy.
Edit the access policy by specifying the identity source user attributes and conditions (Authentication Source, IP Address, and Trusted Network) of the target population.
By default, all users are allowed to complete device registration using an identity source password. This access policy does not currently support Additional Authentication options.
Publish the changes.
The Cloud Authentication Service enforces this access policy immediately for new Authenticate device registrations. This policy does not impact existing device registrations.
Device Registration Using Password Policy Flow Example
The following example describes how the RSA SecurID Authenticate Device Registration policy works for an allowed and denied user.
The administration enables the access policy.
The administrator creates a rule set to require Sales users to complete Authenticate device registration using an identity source password. All other users must use My Page to complete device registration.
A Sales user downloads the Authenticate app from the app store, opens the app, enters the Company ID, email address, and password as the registration code, and completes device registration.
An HR user downloads the Authenticate app from the app store, opens the app, and starts following the instructions. After the user submits the Company ID, email address, and password as the registration code, the app displays "Unable to Complete Setup. Contact your administrator.
When a user is blocked from completing Authenticate device registration using a password as the registration code, the Event Monitor logs error 3009. Check for this error when testing this policy and assisting users who might be blocked unintentionally.