High Availability Tokencodes

If the Cloud Authentication Service cannot be reached because the connection is temporarily unavailable or too slow, RSA Authentication Manager can use downloaded High Availability Tokencode records to prompt users for Authenticate Tokencode. Users who authenticate with methods that are supported by the Authenticate app, such as Approve and Device Biometrics, are prompted for Authenticate Tokencode or SecurID authentication. This feature does not support forwarding RADIUS authentication to the Cloud Authentication Service or authentication to SaaS applications.

To use this feature, you must have a direct connection between RSA Authentication Manager 8.5 or later and the Cloud Authentication Service or a connection that uses the embedded identity router in Authentication Manager. You must enable High Availability Tokencodes in the Cloud Authentication Service. For instructions, see Configure High Availability Tokencodes.

How High Availability Tokencodes Work

When High Availability Tokencodes are configured, Authentication Manager automatically downloads High Availability Tokencode records for each user who registered an authenticator with the Cloud Authentication Service. These records begin with MFA* and have unique serial numbers. Authentication auditing records use the new serial number.

The High Availability Tokencode feature does not increase the Authentication Manager license count.

When the Cloud Authentication Service is not available, the following events occur:

  • Users who normally use Authenticate Tokencode, Approve, or Device Biometrics are prompted for Authenticate Tokencode or SecurID passcode.
  • The access policy in the Cloud Authentication Service is not applied.
  • The Authentication Manager lockout policy determines how many failed logon attempts users can make before their accounts are locked and if accounts can be unlocked automatically or by the administrator.
  • Authentication Manager determines whether a user is enabled, disabled, or locked.

After the connection becomes available, Authentication Manager resumes authentication using the Cloud Authentication Service. Authentication Manager does not send the Cloud Authentication Service updated authentication data, such as information about a user's last successful authentication. User status information is available from the Cloud Authentication Service.

Background Maintenance

Most High Availability Tokencode processing occurs automatically, without any administrative tasks:

  • Authentication Manager monitors the Cloud Authentication Service to determine whether it is reachable, and whether High Availability Tokencode records are needed. This information is recorded in log files.
  • A batch job called "Authenticate Tokencode Sync Job" automatically updates High Availability Tokencode records at the same time each day. RSA assigns each customer deployment a synchronization time between 1:00 AM and 5:00 AM local time. Configuration is not required. The total records processed are recorded in the System Activity monitor and log files. The sync marker time attribute records the timestamp of the last synchronized record that is stored in the Authentication Manager internal database.