KevinConway (Customer) asked a question.
We recently received the Security Advisory regarding RSA Authentication Agent 7.4 via Article 000073186. We are running RSA Authentication Manager 8.7 SP2 Update 5. We only have the RSA Authentication Agent 7.3.3.99 and need to upgrade to either the RSA Authentication Agent 7.4.7 or move to the RSA MFA Agent. It seems like we should move to the RSA MFA Agent but I'm not sure if that provides the Pin/Passcode with the RSA Token feature or only a passwordless feature that we have not explored yet. We are trying to analyze this from a cost/benefits analysis of moving away from the Authentication Agent vs. an agent we haven't used before that may not support the Pin Passcode method of a second form of authentication when signing in to Windows Systems.
Any input would be appreciated,
Thanks,
Kevin C.
Kevin: For Auth Manager, the two behave almost the same; MFA also works in cloud-only environments while the 7.x.x agents do not. You can have both agents live on the same machine side-by-side if you want to evaluate the end user experience. Probably the biggest difference is that the MFA agent will only ask you for your username at the first login page. If you are in an RSA challenge group, it will then ask for passcode; if not, it will just ask for password. The 7.x.x agent would always ask for username AND passcode, even if the user is not in the challenge group.
Furthermore to Daves' comments, cloud support can be enabled either directly from the device, typically a laptop which may be off the corporate network securely supporting offline OTP protected access. For AM connected scenarios windows password integration for passwordless like connections are available. You can also connect cloud enabled Windows, MacOS and Linux MFA agents through AM as a secure proxy with support for hybrid high availability. This will allow end-users to use an cloud authenticator to use OTP methods even if the cloud connection is down temporarily. Passwordless features for FIDO authenticators are being added and the current agent supports Azure and Azure/Entra Hybrid joined workstations. Finally, if you want OTP first followed by password as in the LAC agent, there is a GPO setting to enable this. it's especially handy for WPI use-cases.