You can protect registration with the RSA SecurID Authenticate app with an access policy to control which users can complete registration using a password as the registration code. The Registration Code field appears in the RSA SecurID Authenticate app during registration and accepts either the numeric code that displays in My Page or an identity source password. You might use this policy to require users to complete registration using My Page.
Note that the purpose of this policy changed with the September 2018 release. Before this release, this policy was used to restrict who could complete registration with the RSA SecurID Authenticate app. Starting with the September 2018 release and the introduction of My Page, this policy now restricts who can use an identity source password as the registration code. If you are already using this policy, review and update your target population, as necessary, based on your company requirements.
This access policy only applies to users who have not completed registration with the Authenticate app. If you do not want existing users to continue using the Authenticate app, delete their Authenticate devices in the Cloud Administration Console.
Configure Device Registration Using Password Policy
The Device Registration Using Password access policy exists by default. You can enable and configure it, or disable it.
Unlike other access policies, you cannot clone or delete it or view access usage. When you disable the access policy, the current configurations are saved and are available when the access policy is enabled again.
In the Cloud Administration Console, click Access > Policies.
- In the Policies page, enable the Device Registration Using Password policy.
Edit the access policy by specifying the identity source user attributes and conditions (Authentication Source, IP Address, and Trusted Network) of the target population.
By default, all users are allowed to complete registration using an identity source password. This access policy does not currently support Additional Authentication options.
Publish the changes.
The Cloud Authentication Service enforces this access policy immediately for new Authenticate registrations. This policy does not impact existing registrations.
The following example describes how the RSA SecurID Authenticate Device Registration policy works for an allowed and denied user.
The administration enables the access policy.
The administrator creates a rule set to require Sales users to complete registration with the Authenticate app using an identity source password. All other users must use My Page to complete registration.
A Sales user downloads the Authenticate app from the app store, opens the app, enters the Company ID, email address, and password as the registration code, and completes registration.
An HR user downloads the Authenticate app from the app store, opens the app, and starts following the instructions. After the user submits the Company ID, email address, and password as the registration code, the app displays "Unable to Complete Setup. Contact your administrator.
When a user is blocked from completing registration with the Authenticate app using a password as the registration code, the Event Monitor logs error 3009. Check for this error when testing this policy and assisting users who might be blocked unintentionally.