How RSA Cloud Access Service Push Authentications Work (Approve and Device Biometrics)
8 months ago
Article Number
000073486
Applies To

RSA ID Plus

RSA Cloud Access Service

RSA Authenticator app (all versions)

Issue

When push authentications are not working as expected, it can be helpful for troubleshooting to understand how messages flow for that type of authentication.

Tasks

Push authentications are the RSA Cloud Access Service (CAS) Approve and Device Biometrics authentications supported by the RSA Authenticator app.

They rely partially on push notifications sent by Apple, Google or Microsoft's notification services.  The vendor notification service used by CAS depends upon the platform where the user's RSA Authenticator app is installed.

Resolution

RSA CAS push authentication message flows for all supported RSA Authenticator app platforms are essentially the same.  The only difference is which vendor's notification service is used, based on the type of device where the user's RSA Authenticator app is installed. 

 

Apple iOS, iPadOS and MacOS

Push authentication message flow for Apple devices

CAS push authentications for a registered Apple device use the following message flow:

  1. The user commences a CAS authentication with an application.
  2. After an initial exchange of details with CAS, the application sends a request to CAS that triggers Approve or Biometrics. 
    • If Code Matching is enabled, an initial CAS response at this point will include a code for the application to display on the screen while the push authentication is pending (see section "Configure Code Matching Settings" on page Configure Session and Authentication Method Settings).
    • If the application is managed by CAS, it sends/receives directly across the Internet to CAS. If the application is managed by RSA Authentication Manager (AM), the application sends/receives only with AM and AM will pass an authentication request to CAS as required.  
  3. CAS sends a push notification request to the Apple Push Notification Service (APNS)
  4. If notifications are enabled for the RSA Authenticator app on the user's Apple device, APNS will send a standard Apple push notification across the Internet to the device.  The device will display a pop-up notification to the user.
  5. The user taps the notification.
  6. The Apple device's operating system (iOS, iPadOS or MacOS) starts the RSA Authenticator app, or brings it to the foreground if the app was already running.
  7. The Authenticator app connects to CAS and CAS replies with the details of the pending Approve or Device Biometrics authentication.  The app displays the Approve/Reject page. 
  8. The user selects or enters a code if required, then taps Approve or Reject.   If required, the user is also prompted to authenticate with biometrics.
  9. The Authenticator app sends the user's response to CAS.
  10. CAS sends its Allow, Deny or (if additional MFA is required) Challenge response to the application.

Google Android

Android push authentication message flow

CAS push authentications for a registered Android device use the following message flow:

  1. The user commences a CAS authentication with an application.
  2. After an initial exchange of details with CAS, the application sends a request to CAS that triggers Approve or Biometrics. 
    • If Code Matching is enabled, an initial CAS response at this point will include a code for the application to display on the screen while the push authentication is pending (see section "Configure Code Matching Settings" on page Configure Session and Authentication Method Settings).
    • If the application is managed by CAS, it sends/receives directly across the Internet to CAS. If the application is managed by RSA Authentication Manager (AM), the application sends/receives only with AM and AM will pass an authentication request to CAS as required.
  3. CAS sends a push notification request to Google Firebase Cloud Messaging (FCM)
  4. If notifications are enabled for the RSA Authenticator app on the user's Android device, FCM will send a standard Android push notification across the Internet to the device.  The device will display a pop-up notification to the user.
  5. The user taps the notification.
  6. Android starts the RSA Authenticator app, or brings it to the foreground if the app was already running.
  7. The Authenticator app connects to CAS and CAS replies with the details of the pending Approve or Device Biometrics authentication.  The app displays the Approve/Reject page. 
  8. The user selects or enters a code if required, then taps Approve or Reject.   If required, the user is also prompted to authenticate with biometrics.
  9. The Authenticator app sends the user's response to CAS.
  10. CAS sends its Allow, Deny or (if additional MFA is required) Challenge response to the application.

    Microsoft Windows

    Windows push authentication message flow

    CAS push authentications for a registered Windows device use the following message flow:

    1. The user commences a CAS authentication with an application.
    2. After an initial exchange of details with CAS, the application sends a request to CAS that triggers Approve or Biometrics. 
      • If Code Matching is enabled, an initial CAS response at this point will include a code for the application to display on the screen while the push authentication is pending (see section "Configure Code Matching Settings" on page Configure Session and Authentication Method Settings).
      • If the application is managed by CAS, it sends/receives directly across the Internet to CAS. If the application is managed by RSA Authentication Manager (AM), the application sends/receives only with AM and AM will pass an authentication request to CAS as required.
    3. CAS sends a push notification request to the Microsoft Windows Push Notification Service (WNS)
    4. If notifications are enabled for the RSA Authenticator app on the user's Windows device, WNS will send a standard Windows push notification across the Internet to the device.  The device will display a pop-up notification to the user.
    5. The user taps the notification.
    6. Windows starts the RSA Authenticator app, or brings it to the foreground if the app was already running.
    7. The Authenticator app connects to CAS and CAS replies with the details of the pending Approve or Device Biometrics authentication.  The app displays the Approve/Reject pop-up window. 
    8. The user selects or enters a code if required, then taps Approve or Reject.   If required, the user is also prompted to authenticate with biometrics.
    9. The Authenticator app sends the user's response to CAS.
    10. CAS sends its Allow, Deny or (if additional MFA is required) Challenge response to the application.

      Related Articles

      Trending Articles

      Don't see what you're looking for?