Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
Terminology Update: Cloud Authentication Service Renamed to Cloud Access Service
This terminology change reflects the platform's expanded capabilities and aligns with upcoming improvements. You may still see both names in the product and documentation as we gradually roll out this update.
Improved TransactionID with Timeout MFA Event for Step-Up Authentication
The TransactionID feature has been updated to include a Timeout MFA event for step-up authentication scenarios. If a user completes primary authentication but then closes the browser or abandons the process before finishing step-up authentication, a Timeout MFA event is triggered. This event is logged after the configured timeout period (15 minutes by default), helping to reduce open-ended authentication threads in the logs and enhancing visibility into incomplete authentication attempts. You can find the new Timeout MFA event in the Cloud Administration Console under Users > User Event Monitor.
Controlling Certificate-Based Authentication in Windows Agent
The CA Service now supports Certificate-Based Authentication (CBA) for Windows MFA Agents integrated with Microsoft Entra ID, giving you greater control and visibility over certificate lifecycle management. With this enhancement, you can view and revoke certificates issued by the CA Service directly from the Cloud Administration Console under Users > Management > Agent Passwordless Login Certificates.
Activity ID for Improved Traceability
The audit logging capability has been enhanced with the Activity ID, allowing you to group user actions within a session for improved traceability and streamlined log analysis. This update supports more effective security auditing, faster troubleshooting, and better visibility into user activity patterns. You can view Activity ID column on the Cloud Administration Console > Users > User Event Monitor, and are also available via the public API.
Client Type Support for OAuth Configuration
To provide greater flexibility and control for custom administrators, the Cloud Administration Console now supports specifying client types when configuring OAuth clients. This enhancement helps administrators tailor OAuth configurations to meet specific application needs and security requirements. You can access this feature by navigating to Platform > API Access Management, making it easier to create and manage OAuth clients with precision.
User Recording Connection Method Toggle in HTTP Federation Proxy Application
The Use Recording connection method is no longer available for HTTP Federation (HFED) Proxy application configuration. Customers who previously configured the HFED Proxy application using this connection method will experience no disruption and existing workflows will continue to function as expected. However, the Use Recording connection method will no longer be available for the new application added using HFED Proxy in the Cloud Administration Console > Applications > Application Catalog > Create From Template > HTTP Federation Proxy > Connection Method tab.
Coming Soon (July Release)
The following section outlines the upcoming features planned for the July release.
RSA MFA Agent for Windows 2.4 Adds Expanded Passwordless Authentication Support
RSA MFA Agent for Windows 2.4 introduces expanded support for passwordless primary authentication methods across both Local Active Directory and Microsoft Entra ID deployments.
- Passwordless authentication methods now include:
-
- FIDO Authentication, in two forms:
- FIDO Security Key (already supported in previous version of MFA Agent for Windows, but only with Local AD Deployment)
- Mobile Passkey (Requires RSA Authenticator V4.6 for iOS and Android, released in July 2025)
- QR Code Authentication
- Biometric Authentication.
- FIDO Authentication, in two forms:
To enable passwordless authentication on machines protected by the RSA MFA Agent for Windows and integrated with Microsoft Entra ID, a certificate must be deployed to the endpoint. To streamline this process, RSA introduces an automated certificate provisioning mechanism that simplifies setup and ensures secure deployment. Additionally, to provide more granular control, two new authentication methods are available for configuration within Assurance Levels, enabling the use of the following passwordless authentication methods:
-
- Agent QR Code
- Agent Device Biometric
- Passwordless authentication methods are available as part of ID Plus E2 and E3 subscription, and are available as an add-on to ID Plus E1 subscriptions
- Passwordless authentication will be added in future releases to other RSA MFA Agents.
RSA Authenticator 4.6 for iOS and Android
Streamlined Credential Registration in RSA Authenticator App
Users can now register both CAS credentials and passkeys (FIDO credentials) through a single, simplified action, reducing the number of steps required. This improves usability and accelerates secure onboarding.
Enhanced Mobile Lock Notifications in RSA Authenticator App
When a critical threat is detected, users will now receive notifications containing detailed information about the threat. This empowers users to resolve certain issues independently and enables them to provide clearer, more actionable information when engaging with their IT Help Desk, improving response time and support efficiency.
In-App Upgrade Notification in RSA Authenticator App
Users will now receive an in-app notification when a newer version is available for download. This helps ensure users stay up to date with the latest features, performance improvements, and security updates.
Expanded Credential Support in RSA Authenticator App
Users can now manage up to 30 RSA credentials, including both Authentication Manager (AM) and CAS credentials. This enhancement is designed for powered users who need access to multiple services, providing greater flexibility and convenience. The user interface has also been updated to simplify navigation and improve the management experience for a larger number of credentials, including passkeys.
Important Notice: Use of Company-Specific URLs Required
As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs).The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com )". To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.
Subscribe to status.securid.com for the Cloud Access Service Status Updates
For information about all service incidents and scheduled maintenance windows for the Cloud Access Service, subscribe to https://status.securid.com.
Operating System (OS) Update for Embedded Identity Router
RSA released an updated Identity Router (IDR) version 12.22.x with the SLES 15 SP6 operating system (OS) image in November 2024, available for both standalone and embedded deployments. However, embedded Identity Routers used with Authentication Manager are not eligible for an in-place upgrade to SLES 15 SP6.
Deployments of IDR version 12.21.x or earlier, which are based on SLES 12 SP5, will continue to receive software package updates. However, be aware that support for SLES 12 SP5-based IDRs will be phased out in the soon. New deployments of embedded IDR version 12.22.x or later will use the latest SLES 15 SP6-based image.
If you are using IDR on SLES 12 SP5, or if your IDR version is v12.21.x or earlier, you must update the IDR to the latest version as soon as possible. Use the new image available from the Cloud Administration Console to perform the update.
To view IDR version and operating system information, see View Identity Router Status in the Cloud Administration Console.
RSA strongly recommends that customers using Embedded IDRs migrate to SLES 15 SP6 based images. To do so, perform the following steps:
- Remove the Embedded IDR from the Authentication Manager appliance. Refer to Remove the Embedded Identity Router from RSA Authentication Manager.
- Download and install the new IDR. Refer to step 3: Deploy the Embedded Identity Router section in the Quick Setup - Connect RSA Authentication Manager to the Cloud Access Service with an Embedded Identity Router article.
Note: In step 1, regenerate the Registration Code from the existing IDR record. You do not need to create a new identity router record.
- Register the new IDR with the existing record in the Cloud Administration Console. Refer to steps 3 to 9 of Step 3: Deploy the Embedded Identity Router section in the Quick Setup - Connect RSA Authentication Manager to the Cloud Access Service with an Embedded Identity Router article.
- In the Cloud Administration Console, click Publish Changes.
After the migration, verify that the new IDR is working as expected by checking the status in the Cloud Administration Console. Refer to View Identity Router Status.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| MFA Agent for Microsoft Windows | 2.3 | October 2025 | No |
Third-Party Integrations from RSA Ready
The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
- New Integrations for ID Plus
-
- Articulate Reach 360 (SAML)
- Jamf Connect (OIDC)
- Updated Integrations for ID Plus
-
- ADP Federated SSO (SAML)
- Microsoft GitHub (SAML)
- Okta SSO (SAML)
- SAP NetWeaver (SAML)
Related Articles
RSA May 2025 Release Announcements Number of Views RSA November 2025 Release Announcements Number of Views RSA December 2025 Release Announcements Number of Views RSA January 2025 Release Announcements Number of Views RSA June 2025 Release Announcements Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
