How RSA Authentication Manager Protects Your Resources

RSA Authentication Manager is a multifactor authentication solution that verifies authentication requests and centrally administers authentication policies for enterprise networks. Use Authentication Manager to manage security tokens, users, multiple applications, agents, and resources across physical sites, and to help secure access to network, Cloud, and web-accessible applications, such as SSL-VPNs and web portals.

Passwords are a weak form of authentication because access is protected only by a single factor - a string of characters that a user must remember. If the password is discovered by the wrong person, the security of the entire system is compromised. Multifactor authentication provides stronger protection by requiring two or more unique factors to verify a user’s identity, for example, a user must know a PIN and have a mobile phone or laptop.

RSA Authentication Manager provides stronger protection for your resources:

SecurID Tokens

SecurID hardware and software tokens provide tokencodes that enable users to authenticate and access resources protected by Authentication Manager and the Cloud Authentication Service.

A tokencode is a time-based, pseudorandom number that changes at regular intervals. To gain access to protected resources, a user enters a personal identification number (SecurID PIN) + the number displayed on the token (tokencode). The combination of the SecurID PIN and the tokencode is called a passcode.

The user is granted access only if Authentication Manager validates the passcode. Otherwise, the user is denied access. Authentication Manager also supports PINless SecurID authentication.

On-Demand Authentication

Authentication Manager supports on-demand authentication (ODA) that provides strong two-factor authentication without the need for a physical token or dedicated authentication device. When a user enters a valid PIN to log on to the RSA authentication agent on a protected resource, the system delivers a one-time tokencode by way of e-mail or Short Message Service (SMS). The user then provides the tokencode to securely access the protected resource.


You can use RSA RADIUS with Authentication Manager to directly authenticate users attempting to access network resources through RADIUS-enabled devices. RADIUS is automatically installed and configured during the Authentication Manager installation.

Scalable and Interoperable

Authentication Manager deployments are scalable and can authenticate up to one million users. Authentication Manager is interoperable with a wide variety of applications. For a list of supported applications, go to

Integrating Authentication Manager and the Cloud Authentication Service

Integrating Authentication Manager with the Cloud Authentication Service offers opportunities to expand the resources you protect and the authentication methods you make available to users. Authentication Manager is available with the Cloud Plus license and included with the Cloud Premier license. To deploy the Cloud Authentication Service, contact your RSA Sales representative at 1 800 995-5095 and choose Option 1. See Select an Integration Path for RSA Authentication Manager and the Cloud Authentication Service.

Multifactor Authentication

After installing the SecurID Authenticate app on a supported device, users can authenticate with mobile-optimized push notification (Approve), Device Biometrics, or Authenticate Tokencode.

You do not need to replace or update your existing agents or RSA Ready products that use the UDP or TCP protocol. If you have deployed REST protocol authentication agents, your users will be able to authenticate to the Cloud with any form of multifactor authentication that is supported by the Cloud Authentication Service, including biometric methods such as fingerprint verification, SecurID Token, and context-based authentication using factors such as the user's location and network.

RSA Authentication Manager provides high availability by allowing Authenticate Tokencode authentication to continue when the connection between Authentication Manager and the Cloud Authentication Service is not available.

If you deploy RSA Authentication Manager 8.5 or later with REST protocol authentication agents, you can configure the Authentication Manager as a proxy server that sends authentication requests to the Cloud Authentication Service. This creates one secure connection to the Cloud Authentication Service that supports all authentication methods supported by REST protocol authentication agents, whether verified by Authentication Manager or the Cloud Authentication Service.

You can connect in two ways:

SecurID Tokens

Users with SecurID tokens can access SaaS and on-premises web applications and RADIUS clients protected by the Cloud Authentication Service. For more information, see Enable SecurID Token Users to Access Resources Protected by the Cloud Authentication Service on RSA Link.

Authentication Manager 8.7 or later supports transferring SecurID 700 ownership from Authentiction Manager to Cloud Authentication Service. For more information, see Transfer SecurID 700 Hardware Token Ownership to the Cloud Authentication Service.

When Authentication Manager is not deployed, the Cloud Authentication Service can support authentication with the SecurID 700 hardware token. If you have a Cloud-only deployment and you want to enable hardware token, contact your RSA Sales representative or Channel Partner.

RADIUS for the Cloud Authentication Service

If you have an RSA Authentication Manager RADIUS deployment, expand the authentication methods available to users by moving to RADIUS for the Cloud Authentication Service. This path involves configuring a RADIUS client in the Cloud Authentication Service to protect the resources that are currently protected by RADIUS in Authentication Manager. For instructions, see RADIUS for the Cloud Authentication Service Overview on RSA Link.

SecurID Authentication with RSA Authentication Manager

SecurID authentication with RSA Authentication Manager involves the interaction of three distinct components:

  • SecurID authenticators, which generate one-time authentication credentials for a user.

  • RSA Authentication Agents, which are installed on user's computers or client devices and send authentication requests to the Authentication Manager.

  • RSA Authentication Manager, deployed on-premises or in the cloud, which processes the authentication requests and allows or denies access based on the validity of the authentication credentials sent from the authentication agent.

To authenticate a user with RSA, Authentication Manager needs, at a minimum, the following information:

Element Information
User record Contains a User ID and other personal information about the user (for example, first name, last name, group associations, if any). The user record can come from either an LDAP directory server or the Authentication Manager internal database.
Agent record Identifies the name of the machine where the agent is installed. This record in the internal database identifies the agent to Authentication Manager so that Authentication Manager can respond to authentication requests.
Token record Enables Authentication Manager to generate the same tokencode that appears on a user’s SecurID token.

Used with the tokencode to form the passcode.

The Role of RSA Authentication Manager in SecurID Authentication

RSA Authentication Manager software, authentication agents, and SecurID tokens work together to authenticate user identity. SecurID patented time synchronization ensures that the tokencode displayed by a user’s token is the same code that the RSA Authentication Manager software has generated for that moment. Both the token and the Authentication Manager generate the tokencode based on the following:

  • The token’s unique identifier (also called a “seed”).

  • The current time according to the token’s internal clock, and the time set for the Authentication Manager system.

To determine whether an authentication attempt is valid, the RSA Authentication Manager compares the tokencode it generates with the tokencode the user enters. If the tokencodes do not match or if the wrong PIN is entered, the user is denied access.

SecurID Authentication Examples

Authentication Manager software is scalable and can authenticate large numbers of users. It is interoperable with network, remote access, wireless, VPN, Internet, and application products. The following table lists some key examples.

Product or Application


VPN Access

SecurID provides secure authentication when used in combination with a VPN.

Remote dial-in

SecurID operates with remote dial-in servers, such as RADIUS.

Web access

SecurID protects access to web pages.

Wireless Networking

Authentication Manager includes an 802.1- compliant RADIUS server.

Secure access to Microsoft Windows

Authentication Manager can be used to control access to Microsoft Windows environments both online and offline.

Network hardware devices

Authentication Manager can be used to control desktop access to devices enabled for SecurID, such as routers, firewalls, and switches.

© 1994-2023 RSA Security LLC or its affiliates. All Rights Reserved.