The RSA MFA Agent for Microsoft Windows enables users to sign in to their computers without entering a password. The Agent uses certificate-based authentication through Active Directory Certificate Services (AD CS) to provide secure passwordless authentication. Users must register a FIDO Passkey or RSA Authenticator along with their Active Directory (AD) password for the first authentication. Subsequent authentications require only a registered passwordless method.

The Agent creates a Microsoft Virtual Smart Card and enrolls it with a sign-in certificate to support passwordless sign-in. Users can also perform additional authentication when accessing Windows computers or User Account Control. Supported passwordless methods include FIDO Passkey, QR Code, Mobile Passkey, Device Biometrics, and Emergency Access Code. AD user accounts can be protected by the RSA MFA Agent for additional security. Passwordless authentication is supported when the agent connects directly to Cloud Access Service (CAS), or in hybrid deployments that use Authentication Manager (AM) 8.9, scheduled for release in early 2026.

Passwordless and password + step-up authentication through the MFA Agent are supported on both AD-joined and hybrid-joined devices. Hybrid-joined devices follow the same configuration steps as AD-joined devices.

Upgrade to Passwordless

This section describes how to upgrade machines that already use FIDO Passkeys for primary authentication. The upgrade process applies to RSA MFA Agent 2.3.4 or later upgrading to version 2.4 or later. After the upgrade, FIDO Passkey credentials remain valid, and users can continue to onboard other passwordless authentication methods.

Active Directory Machines Using FIDO Passkeys for Primary Authentication

1. Update the CAS policy
   Update the existing policy (or create a new one) in the Cloud Administration Console to include FIDO Passkey as a supported primary authentication method. Ensure the policy name is correctly reflected in the CAS Access Policy GPO setting.
   Note: This is mandatory for machines that were previously FIDO Passkey-enabled. Failing to include FIDO Passkey will result in login issues post-upgrade.
2. Download Agent Passwordless Public Key
   1. In the Cloud Administration Console, navigate to My Account > Company Settings > Company Information > Agent Passwordless Public Key, and click Download.
   2. Open the downloaded .pem file and copy the contents starting from -----BEGIN PUBLIC KEY----- up to and including -----END PUBLIC KEY-----
   3. Paste the content into Cloud Access Service Public Key for Passwordless Authentication GPO setting.

For more information, see the Installation and Administration Guide.

Create a Group of Users to Challenge with Passwordless Authentication

You can control access to resources protected by the MFA Agent by specifying which users to challenge for passwordless authentication. You can configure the Agent to challenge:

• A group of users
• All users except a certain group of users
• Include only domain users, exclude local users

The Agent can use a Windows group to control access. The group can be a default Windows group or a group you create using the Windows Computer Management interface or AD. If you want to use a group other than a Windows default group, create it before configuring the Agent.

Confirm that any group you create is recognized by AD and can be queried. For more information on creating groups, refer to your Microsoft Windows documentation.

If the Agent cannot determine group membership from the domain controller, it can retrieve challenge settings from a local cache. If no cached data is found, the Agent can challenge the user with:

• Passwordless authentication
• Windows password and additional authentication

Configure challenge settings using the GPO RSA Primary Authentication Challenge Group, and specify how the Agent treats users whose group membership cannot be determined. For more information, see the Group Policy Object Template Guide.

Configure GPO Settings for Active Directory Passwordless Authentication

Configure the required RSA MFA Agent GPO settings to enable passwordless authentication for AD-joined and hybrid-joined devices, including CAS connection values, certificate settings, and Passkey configurations. 

For the complete list of GPOs, detailed descriptions, and configuration examples, refer to the Installation and Administration Guide.

Retrieve Details from Active Directory Certificate Services

To retrieve the hostname, authority name, certificate template name, and subject name from AD CS, log in to the Windows system configured as the CA and follow these steps:

Active Directory Certificate Authority Host Name

1. Go to Start > Control Panel on the Windows computer configured as the AD CA.
2. Select All Control Panel Items > System.
3. Click Advanced system settings.
4. Select the Computer Name tab in the System Properties dialog.
5. Copy the Full computer name.

Active Directory Certificate Authority Name

1. Go to Start > Windows Administrative Tools > Certification Authority.
2. Click Certification Authority in the left pane and select the desired authority.
3. Right-click the Certification Authority and select Properties.
4. Copy the Name from the General tab.

Note: The CA name commonly ends with -CA.

Certificate Template Name

1. Go to Start > Windows Administrative Tools > Certification Authority.
2. Expand the Certification Template, right-click the relevant template, and select Manage.
3. Double-click the certificate template created for Smartcard Logon or Client Authentication.
4. Under the General tab, you will find the Template Name. Ensure that you copy the Template name, not the Template display name.

Certificate Subject Name

1. Go to Start > Windows Administrative Tools > Certification Authority.
2. Expand the Certification Template, right-click the relevant template, and select Manage.
3. Double-click the certificate template created for Smartcard Logon or Client Authentication.
4. Select Build from this Active Directory information under the Subject Name tab.
5. Set Subject Name Format as a Fully distinguished name.
6. Copy the Certificate Subject Name.

Note: By default, the Agent uses the fully distinguished name format. Any other format must be copied to the corresponding GPO policy.

Prerequisites

Active Directory Requirements

• A valid AD password is required for first-time authentication.
• Do not select the Smart card is required for interactive logon option in the Account tab of the AD user properties.
• If upgrading from MFA Agent version 2.3.4 or later, follow the Upgrade to Passwordless steps.

Active Directory Certificate Services Requirements

• Deploy AD CA on the same computer where AD is installed or on a different computer with a trusted connection to the AD Domain Controller. For more information, see Active Directory Certificate Services.
• Install Microsoft Windows Certificate Services in Enterprise mode. For more information, see Active Directory Certificate Services.
• Create a Smartcard Logon certificate template. 

RSA Certificate Authority Requirements

• CA server must be reachable from the client machine.
• Certificates used by the MFA Agent must be trusted by all client machines.
• Smartcard Logon certificate template must be available in CA.
• Administrators must have permission to create and manage certificate templates in AD.

For configuration details, see the Installation and Administration Guide.

Set Up Cloud Access Service

Prerequisites

Before you install and configure the MFA Agent, a CAS administrator needs to complete these tasks:

• Connect and synchronize AD with CAS.
• Create an access policy for the MFA Agent. For instruction, see the Add an Access Policy section in Add, Clone, or Delete an Access Policy on the RSA Community.
• If using conditional authentication based on location or IP address, create trusted locations and networks and configure them in the access policy. See Create a Network Zone in Manage Networks and Add a Trusted Location in Add or Delete a Trusted Location on the RSA Community.
• Obtain the REST Authentication URL for CAS. It uses the following format: https://<hostname>:<port>/.
  To obtain the <hostname>, in the Cloud Administration Console, go to Platform > Access Management > Authentication API Keys. The Authentication Service Domain field displays the <hostname>. The default <port> is 443.

• Obtain the REST protocol RSA Authentication API Key for CAS. The Agent sends this key to the RSA Authentication API to securely identify authentication requests. For more information, see Add an RSA Authentication API Key section in Manage the RSA Authentication API Keys (Legacy Clients) on the RSA Community.

User Requirements

To use passwordless authentication methods, users must register on RSA My Page and enroll one of the following authenticators:

• RSA Authenticator app (iOS or Android), which supports Device Biometrics, QR code, and Mobile Passkey.
• A FIDO2-certified security key, such as the RSA DS100 or RSA IShield 2.

Enable Passwordless Authentication

To enable Passwordless authentication for CAS users, perform the following:

Procedure

• Update the access policy to include passwordless authentication methods as primary authentication methods.
  1. In the Cloud Administration Console, go to Access > Policies, and in the Primary Authentication tab, add one or more of the following methods:
     • FIDO Passkey
     • QR Code (RSA Agent)
     • Device Biometrics (RSA Agent)
     • Mobile Passkey (RSA Agent)
     • Emergency Access Code
  2. Click Save and Finish and then publish your changes.
     
     
     
• Download the Agent Passwordless Public Key from CAS:

1. 1. In the Cloud Administration Console, go to My Account > Company Settings.
   2. Select Company Information.
   3. Under Agent Passwordless Public Key, click Download.
      

• Obtain the FIDO Relying Party ID from CAS:
  1. In the Cloud Administration Console, go to Platform > Identity Router.
  2. Select an identity router and click Edit.
  3. Click Registration.
  4. Copy the FIDO Relying Party ID from the Authentication Service Domain field.
  5. If not configured, the FIDO Relying Party ID is extracted automatically from the RSA Authentication API REST URL.

If you want users to avoid additional authentication after a successful FIDO Passkey primary authentication, ensure that FIDO Passkey is configured as the Higher assurance level authentication method in the access policy compared to other methods.

Create Certificate Templates in Certificate Authority

You can either create a certificate template manually or use the RSA Passwordless Certificate Utility. See the following:

• Create a Certificate Template Manually
• Manage Certificate Templates Using the MFA Agent Passwordless Certificate Utility

Create a Certificate Template Manually

Procedure

1. Log in to the Windows server configured as the CA.
2. In the Start menu search bar, type mmc.exe, right-click mmc.exe, and select Run as administrator.
3. In the MMC window, select File > Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog, select Certificate Templates, and click Add.
5. In the Certificate Templates window, right-click the Smartcard Logon template and select Duplicate Template.
6. Choose the minimum operating system version of AD CS Certificate Authority (CA) that you want to support. You can also select the minimum recipient operating system for the certificate template. The most recent supported versions are Windows 10 and Windows Server 2016.
7. In the Properties of New Template window, navigate through each tab and perform the following:
   1. In the General tab, enter a name for the certificate template.
   2. In the Security tab, ensure that the Read and Enroll permissions are checked, and ensure that Autoenroll is not selected.
   3. In the Request Handling tab, set the Purpose to "Signature and encryption" and ensure the Prompt the user during enrollment and require the user input when the private key is used option is selected.
   4. In the Cryptography tab, set the Minimum key size of the Smartcard Logon certificate template Cryptography key to either 1024 or 2048.
   5. In the Issuance Requirements tab, ensure that neither CA certificate manager approval nor This number of authorized signatures is selected.
   6. In the Extensions tab, edit Application Policies so that only Client Authentication and Smart Card Logon are listed. Remove any default policies as necessary.
   7. In the Subject Name tab, select Build from this Active Directory information, and set Subject Name Format to Fully distinguished name.
      

Manage Certificate Templates Using the MFA Agent Passwordless Certificate Utility

The RSA MFA Agent Passwordless Certificate Utility includes a PowerShell script (RSA_MFA_Agent_For_Windows_Passwordless_Certificate_Utility_v1.0.ps1) and a default JSON template (RSASmartcardTemplate.json) for managing certificate templates in an AD environment.

This command line utility automates the certificate template creation process required for the RSA MFA Agent for Microsoft Windows passwordless use cases.

The utility is available for download on the RSA ID Plus Downloads page on RSA Community.

The utility allows you to:

• Create a template using the JSON configuration file
• Customize template validity and renewal periods
• Retrieve template details
• Remove a template

For detailed installation steps, command, and parameters definitions, see the Installation and Administration Guide.

Connect the MFA Agent to the Authentication Service

After you install the MFA Agent, you need to connect the Agent to the Authentication Service to perform the authentication flows of passwordless authentication. You can specify these settings in the Group Policy Object (GPO) Template, which is installed on the machine as part of the installation.

The GPO Template contains additional policies that are not mentioned below. The following steps list only the required policies to be enabled for the Agent to work. For more information, refer to the Group Policy Object Template Guide.

Procedure

1. Enable RSA authentication.
2. Specify the RSA Authentication API key.
3. Specify the RSA Authentication API REST URL.
4. Specify the CAS access policy for the Agent to use. This policy must be enabled and configured for the MFA Agent to work with CAS.
5. Configure passwordless authentication. This setting controls whether the MFA Agent uses passwordless authentication or Windows password with step-up methods.
6. Specify the Active Directory Certificate Authority Name.
7. Specify the Active Directory Certificate Authority Host name.
8. Specify the Certificate Template.
9. Select either 1024 or 2048 as the Certificate Key Length.
10. Specify the Certificate Subject.
11. Specify the FIDO Relying Party ID configured in the Cloud Administration Console.

RSA MFA Agent Authentication Utility

You can use the RSA MFA Agent Authentication Utility to test online and offline passwordless authentication. You can also use this utility to enable passwordless authentication. The Authentication Utility is automatically installed when you install the MFA Agent. You can ask your users to test authentication using this utility and share these instructions with them.

Print or email the document Test Authentication with MFA Agent for Microsoft Windows.

Procedure

1. Sign in to a computer where the MFA Agent is installed.
2. Click Start > RSA > RSA MFA Agent Authentication Utility.
   The Test Authentication tab opens by default.
3. Enter the name of the user for whom you are testing authentication.
   • Enter a simple name (for example, myuser) or an email address (for example, myuser@mydomain.com). This name is displayed for users and cannot be edited.
4. If you entered a simple user name, specify the domain (for example, mydomain).
   Note: Local user accounts cannot be enabled with passwordless authentication.
5. Click Test Online Authentication.
6. Perform authentication using a supported passwordless method, such as FIDO Passkey, QR Code, Device Biometrics, or Mobile Passkey.
   • The MFA Agent verifies your credentials with CAS and prompts for additional authentication if required.
   • If passwordless authentication is successfully enabled, a confirmation message appears.
7. Wait 60 seconds after successful online authentication, and then click Test Offline Authentication.
   • Authenticate again using a supported method.
   • If offline passwordless authentication is successful, a confirmation message appears.

If authentication is successful, you can sign in to your computer without entering a password. For more information, see Authentication Flow of Passwordless Authentication in the RSA MFA Agent for Microsoft Windows Documentation.

Offline Passwordless Authentication

If the MFA Agent is configured with passwordless authentication, you can authenticate offline using a FIDO passkey. Offline passwordless authentication is available only when the MFA Agent connects directly to CAS or when AM is used as a secure proxy for CAS.

By default, passwordless authentication users are not challenged with additional offline authentication. You can challenge users with one of the following additional offline authentication methods:

• FIDO Passkey
• Authenticate OTP
• Emergency Access Code

Note: Users’ computers must be synchronized with Internet time. If not, configure Windows Time Service or check system clock settings to ensure proper offline authentication.

Passwordless Onboarding

The Passwordless Onboarding functionality enables users to onboard supported passwordless authentication methods so they can sign in using those methods.

First-Time Launch (No Onboarded Methods)

If the user has no onboarded methods, the following procedure applies:

Procedure

1. Click Passwordless Authentication Onboarding.
   The user is prompted to authenticate using the default method configured in the CAS access policy. Other supported passwordless authentication methods (also as configured in the access policy) are displayed under the More ways to sign in menu.
2. Perform the authentication. A success message appears.
   1. If QR Code, Mobile Passkey, or Device Biometrics was used to authenticate, all other non-FIDO supported methods are automatically onboarded.
   2. If a FIDO Passkey was used, all supported methods, including FIDO Passkeys, are onboarded.

Note: The Emergency Access Code (EAC) authentication method appears only when configured by an administrator as needed, even while it is included in the access policy.

Onboarding More Methods

A + button is displayed for users who have at least one method yet to be onboarded. If all four methods (QR Code, FIDO Passkey, Mobile Passkey, Device Biometrics) are already onboarded, the + button does not appear.

Emergency Access Methods

Emergency access allows users to sign in when they cannot use their registered passwordless authentication methods. Use the following options based on whether the user has completed passwordless onboarding.

Emergency Access Before Passwordless Onboarding

If the user has not yet onboarded any passwordless authentication methods:

• Disable the Exclude the Microsoft Password Credential Provider GPO setting. This ensures the Microsoft Password Credential Provider is shown at sign-in, allowing users to authenticate with their Windows password.

Note: After passwordless onboarding is completed, set Exclude the Microsoft Password Credential Provider to Not Configured or Enabled.

Emergency Access After Passwordless Onboarding

Online Authentication

Prerequisites

• Emergency Access Code must be enabled in CAS access policy.
• Cloud Authentication Service Public Key for Passwordless Authentication GPO must be configured correctly. Otherwise, disable Exclude the Microsoft Password Credential Provider to allow Windows password sign-in.

Procedure

1. In the Cloud Administration Console, go to Users > Management.
2. Search for the user and generate an Emergency Access Code.
3. Share the code with the user.

The user selects Emergency Access Code from More ways to sign in and enters the code to authenticate.

Offline Authentication

Prerequisites

• Offline Emergency Access Code must be enabled in My Account > Company Settings > Sessions & Authentication.
• Cloud Authentication Service Public Key for Passwordless Authentication GPO must be configured correctly. Otherwise, disable Exclude the Microsoft Password Credential Provider to allow Windows password sign-in.

Procedure

1. In the Cloud Administration Console, go to Users > Management.
2. Search for the user and generate an Emergency Access Code with an expiry time.
3. Share the code with the user.

The user selects Emergency Access Code from More ways to sign in and enters the code to sign in offline.

For more information about Emergency Access Codes, see Authentication Methods for Cloud Access Service Users in the Installation and Administration Guide.

Passwordless Authentication Flows

This section describes the flows of passwordless authentication for your first and subsequent authentications.

First Authentication

When you sign in or unlock your computer for the first time, the MFA Agent binds the passwordless authentication methods with your computer. The MFA Agent creates a Microsoft Virtual Smart Card and provisions it with a sign-in certificate for you.

Before you begin, ensure that your computer is connected to the network and all the prerequisites are met.

Procedure

1. Enter your AD username in the RSA passwordless credential provider.
2. Perform multi-factor authentication using one of the supported passwordless methods.
3. The MFA Agent verifies the authentication request with CAS and may prompt you for additional authentication methods if required.
4. After successful verification, the MFA Agent binds the passwordless authentication methods to your computer.
5. The MFA Agent creates a Microsoft Virtual Smart Card and provisions it with a sign-in certificate from the AD CA.
6. After the sign-in certificate is provisioned, you gain access to the computer.

Note: If your AD password has expired, you are prompted to change it. The old password appears in the Change Password window.

Subsequent Authentications

After the first authentication, the passwordless method is already bound to your computer and the virtual smart card exists. You do not need to enter your password for subsequent authentications. Your computer may or may not need to be connected to the network after the second authentication.

Procedure

1. Perform the same initial steps as in First Authentication to enter your AD username and complete passwordless authentication.
2. The MFA Agent verifies your credentials and may prompt for additional authentication methods, if required.
3. During subsequent authentication, the MFA Agent verifies the authentication data, unlocks the local virtual smart card, and obtains the sign-in certificate.
4. The MFA Agent sends the certificate to Microsoft Windows, which validates it and grants access to your computer.

For more information, refer to the latest Installation and Administration Guide in RSA MFA Agent for Microsoft Windows Documentation.