Cloud Authentication Service Updates
The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).
Streamlined IP Address Management with Network Zones
Administrators can now create their own trusted and restricted IP lists. A network zone contains a range of IP addresses for trusted and restricted networks, strengthening security by controlling network traffic across CAS APIs, CAS Access Policies, and the Identity Router (IDR). These configurations are located on the page previously known as Trusted Networks, which has been renamed to Networks. This feature effectively helps protect against malicious activities, including password spraying.
In the Cloud Administration Console, two pre-configured Network Zones are now available. The Access Policy Network Zones are used in access policies that define authentication conditions based on trusted networks. The IDR Network Zones consist of restricted networks that block unauthorized traffic directed to the IDR and are specifically utilized by the IDR. Additionally, administrators can now manage custom network zones for Authentication and Administration API Keys, ensuring that only trusted clients can access critical services.
RADIUS Client Code Matching Configuration
For RADIUS clients that do not support challenge-response (required for code matching), administrators can now disable the Allow code matching option for specific customers. By default, the Allow code matching option is enabled, ensuring compatibility with clients that support push notification methods. However, for RADIUS clients that do not support challenge-response, disabling this option ensures they are limited to non-push authentication methods when Strict Code Matching is enforced.
iShield Key 2 OATH HOTP OTP Support Now Available
RSA is introducing the new RSA iShield Key Series, powered by Swissbit. Administrators can now upload RSA/Swissbit OATH OTP seeds through the Cloud Administration Console and select "RSA/Swissbit" as the manufacturer. Additionally, when a Swissbit iShield Key 2 is registered as an OATH HOTP OTP hardware authenticator in the Cloud Authentication Service, users can easily register the device via the My Page > My Authenticators section.
Strict Code Matching Enforcement in the Cloud Administration Console
Authentications may use an Authentication Agent or Authentication application that does not support Code Matching. In these cases, users could still use push notification methods even if code matching was enabled. A new setting, Strict Code Matching Enforcement, is now available to administrators. This option is disabled by default to avoid disrupting the current user authentication flow.
When the Strict Code Matching Enforcement option is enabled, users will only be able to use push notification methods if both the Authentication Agent and Authentication application used support the configured Code Matching method. If not, users will be prompted to use one of the other available authentication methods based on the configured policy.
Request Access to Applications and View Your Requests on My Page
Users can now request access to applications directly from My Page, either from the Application Catalog or from applications displayed on My Page that have not yet been provisioned. Application requests can go through an approval process with options for no approval, manager approval, application owner approval, or both. Once access is approved, users will be granted the necessary permissions. Additionally, users can view, track, and cancel their access requests as needed. Approvers can also view and manage pending action items directly from My Page. To enable users to request access, administrators can now activate the Fulfillment service in the Cloud Administration Console. Administrators can configure the approval process and set the fulfillment type (LDAP, SCIM, or Entra ID).
User Event Monitor Enhancements and Rate Limiting
To improve the efficiency of user event logging, rate limiting has been implemented to summarize certain user events when the activity exceeds a defined threshold. Rate limiting applies to "user not found" attempts. When the Cloud Authentication Service detects patterns where rate limiting is applied, administrators will receive an email notification alerting them to relevant events.
Important Notice: Use of Company-Specific URLs Required
Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, and redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality. For example, URLs such as https://access.securid.com or https://na2.access.securid.com will no longer be valid. To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.
IDR SLES Upgrade (12.22.0)
For Federal customers, the following ciphers will not be supported for both incoming and outgoing connections to the IDR SSO Portal:
- AES128-SHA
- AES128-SHA256
- AES256-SHA
- AES256-SHA256
For more information, please refer to the RSA Identity Router 12.22.x Upgrade Guide.
RADIUS Authentication Rate Limiting for Failed Login Attempts
Rate limiting has been implemented for RADIUS authentication to address consecutive authentication failures. This feature helps detect and prevent certain types of potential attacks by temporarily blocking further attempts once a failure threshold is exceeded.
Identity Router Update Schedule and Versions
Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.
| Date | Description |
|---|---|
|
ANZ: 01/06/2025 EU/IN/JP: 01/06/2025 NA/ GOV: 01/06/2025 CA/SG: 01/06/2025
| Updated identity router software is available to all customers. |
| Default: Saturday 02/15/2025 | Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually. |
| Last: Saturday 03/08/2025 |
If you postponed the default date, this is the last day when updates can be performed. |
The new identity router software versions are:
|
Identity Router Deployment Type | Version |
|---|---|
| On-premises | 12.22.0.0 |
| Amazon Cloud | RSA_Identity_Router 12.22.0.0 |
RSA MFA Agent 9.0 for Microsoft IIS and RSA MFA Agent 9.0 for Apache Web Server Now Available
The new RSA MFA Agent 9.0 for Microsoft IIS and RSA MFA Agent 9.0 for Apache Web Server now deliver all the benefits of RSA MFA Agents. New features include seamless CAS support, REST API integration, and support for a variety of MFA authentication methods, such as:
- Approve
- Biometrics
- Authenticate OTP
- QR Code
- SecurID OTP
- SMS & Voice OTP
- Emergency Access Code
In addition, the new agents support load balancing, extended failover mechanisms, enhanced reporting capabilities, and multiple language support.
UI updates and third-party library upgrades are also included.
The RSA MFA Agent 9.0 for Microsoft IIS and RSA MFA Agent 9.0 for Apache Web Server will be available for download through the RSA ID Plus Downloads page.
The availability of both RSA Authentication Agent 8.0.x for Web for IIS (Microsoft IIS Web Agent) and RSA Authentication Agent 8.0.x for Web for Apache (Apache Web Agent) for online download will end in June 2025.
Note: Primary support for RSA Authentication Agent 8.0.x for Web for IIS and Apache will end in March 2026.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| Authenticator for Windows | 6.1.3 | February 2025 | No |
| Authentication Agent for Citrix StoreFront | 2.0x | December 2024 | No |
Related Articles
RSA August 2025 Release Announcements Number of Views RSA January 2025 Release Announcements Number of Views RSA November 2025 Release Announcements Number of Views Microsoft Local Security Authority (LSA) prevents the Swissbit OpenSC Minidriver from loading. Number of Views RSA May 2025 Release Announcements Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
