Summary

RSA plans to phase out the following deprecated features in the newer versions of RSA MFA Agents.

• UDP mode support
• Authentication Manager Risk-Based Authentication (RBA) support

These features are deprecated in favor of advanced alternatives. RSA has no plans to further develop or enhance the existing functionality.

Details

Removal of Support for UDP Mode

RSA Authentication Agents support UDP and REST protocols for communicating with RSA Authentication Manager. UDP mode is a legacy option that allows Agents to use SecurID OTP credentials for step-up authentication. New versions of RSA MFA Agents (PAM 9.x and Citrix StoreFront 3.x) will no longer support the UDP channel and only REST will be available to connect to Authentication Manager.
For more information on UDP and REST Agents, refer to RSA Authentication Agents.

Next Steps

Customers who have deployed the RSA Authentication Agents in UDP mode need to switch to REST mode when they upgrade to the PAM 9.x and Citrix StoreFront 3.x. RSA strongly recommends customers upgrade the Agents to the newer versions before the end of primary support of the existing Agents that support UDP. RSA will discontinue to support the versions of the Agents that support UDP.
For details on end of primary support, refer to Product Life Cycle.

Impact of Switching to REST

There is no impact on the end-user authentication experience when customers switch from UDP to REST. All authentication methods will continue to work as-is, except for RBA. See the next section for more information.

UDP is a legacy network configuration and RSA recommends customers to adopt the modern REST-based connection that is more secure and provides modern configuration options for Agents.

Removal of Support for Authentication Manager RBA

The newer versions of MFA Agents will no longer support the RBA feature of RSA Authentication Manager. Citrix StoreFront 2.x, Web Agent IIS and Apache (8.x) currently support RBA on the UDP channel. Since the newer versions will no longer support UDP, the RBA feature will not be available for user authentication when you upgrade to the newer versions of MFA Agents.
Note: RSA discontinued selling RBA SKUs more than a year ago.

For more details on RBA, refer to Risk-Based Authentication Policies.

Impacted Agents

RBA is supported in the older versions of Authentication Agents such as Citrix StoreFront, and Web Agent (IIS and Apache) on the UDP channel.
The newer versions of MFA Agents (Citrix StoreFront 3.x) and upcoming Web Agents (IIS and Apache) releases will not support RBA.
Additionally, all custom-built Integrations/clients built on the UDP channel using the SecurID Authentication Agent API for C and Java 8.6 will not receive further updates or support from RSA for troubleshooting.

Alternative Option

RBA identifies potentially risky or fraudulent authentication attempts by prompting additional challenges based on static questions and answers configured. This works today only with Authentication Manager and is not supported with Cloud Authentication Service (CAS). With the shift in modern authentication to align the user experience and the proliferation of new threat vectors, RSA strongly recommends customers consider leveraging Risk AI offered in CAS. This offers a dynamic and rule-based policy engine. Risk AI uses machine learning and unique anomaly detection techniques to provide contextual risk analysis.
For more information on Risk AI, refer to Risk AI - RSA.