Offline Authentication Policy

An offline authentication policy defines the way users authenticate when they are not connected to the network.

Offline authentication extends SecurID authentication to users when the connection to RSA Authentication Manager is not available (for example, when users work away from the office or when network conditions make the connection temporarily unavailable).

An offline authentication policy is assigned to each security domain. A deployment can have multiple offline authentication policies.

Two policies can conflict if the user is in one security domain and the agent (their computer) is in a different security domain, and the security domains have different offline authentication policies.

RSA does not recommend offline authentication for the following authenticators:

  • PINPads

  • Tokens that do not require PINs

  • Fixed passcodes

These authenticators are likely to contain fewer characters than required by the minimum offline passcode length setting. You can override this setting to explicitly allow offline authentication using these authenticators.

Add an Offline Authentication Policy

In a replicated deployment, changes to policies might not be immediately visible on the replica instance. This delay is due to the cache refresh interval. Changes should replicate within 10 minutes. If you want to make changes take effect sooner on the replica instance, see Flush the Cache.

Note: Any changes made to an offline policy cause all previously generated offline data to be discarded and regenerated.

Procedure

  1. In the Security Console, click Authentication > Policies > Offline Authentication Policies > Add New.

  2. In the Offline Authentication Policy Name field, enter a unique name from 1 to 128 characters.

  3. (Optional) If you want this policy to allow offline authentication, select Enable Offline Authentication. This allows users to authenticate with their tokens when their computers are not connected to the network.

  4. (Optional) To allow Authentication Manager to automatically provide the user's Windows Login Password with a successful SecurID authentication, select Enable Windows password integration.

  5. (Optional) If you want this policy to be the default offline authentication policy, select Set as default offline authentication policy. The default policy is applied to all new security domains.

  6. From the Minimum Online Passcode Length drop-down menu, select the minimum length of the passcode (PIN + tokencode) a user must enter to download days of offline data.

  7. (Optional) PINPad tokens, software tokens, and tokens that do not require PINs are likely to contain less characters than required by the minimum offline passcode length setting. RSA recommends that you do not allow offline authentication with these types of tokens. You can however, use the Allow Offline Authentication Using field to override the minimum length setting for users that authenticate with any of these tokens.

  8. (Optional) Select the Allow offline emergency codes to be generated checkbox if you want RSA Authentication Manager to generate offline emergency codes for users.

  9. Select the type of offline emergency codes that you want to generate:

    • Offline emergency tokencodes. Generate these for users who have misplaced their tokens. Users must enter their PIN followed by the emergency tokencode to gain entry to their computers.

    • Offline emergency passcodes. Generate these only for users who have forgotten their PINs and need a full passcode. In such cases, make sure you properly identify the users before providing them with emergency passcodes. Because emergency passcodes enable authentication without a PIN, RSA recommends that you use emergency tokencodes instead.

  10. In the Lifetime field, enter the length of time, in days, for which emergency codes are valid. The default is thirty days.

  11. In the Maximum Days of Offline Data field, enter the amount, in days, of offline data that you want to allow users to download.

  12. In the Days of Offline Data Warning field, specify the number of remaining days of offline authentication data that triggers a warning to users. The default is seven days. Users who receive the warning must reconnect to the network and replenish their supply of offline logon days. If users run out of offline logon days, they must contact an administrator.

  13. In the Offline Authentication Failures field, enter the number of allowable failed offline authentication attempts before users must use an emergency code to gain entry to their computers.

  14. (Optional) Select the Offline Logging checkbox if you want authentication log entries uploaded to Authentication Manager when the user reconnects to the network.

  15. Click Save.

Manage an Offline Authentication Policy

You can edit or delete an offline authentication policy, or change the default offline authentication policy that is assigned to all new security domains.

Procedure

  1. In the Security Console, click Authentication > Policies > Offline Authentication Policies > Manage Existing.

  2. Use the search fields to find the policy that you want to edit, delete, or choose as the new default policy.

  3. Do the following:
    TaskDescriptionProcedure
    Edit an offline authentication policyOffline authentication policies are assigned to security domains and apply to all users assigned to that security domain.

    1. Click the policy that you want to edit.

    2. From the context menu, click Edit.

    3. Make the necessary changes to the offline authentication policy.

      If you have not saved your edits, you can click Reset to reset the offline authentication policy as it was before you began editing.

    4. Click Save.

    Delete an offline authentication policy

    When you delete an offline authentication policy, the policy is removed from the deployment and can no longer be assigned to security domains. If you delete an offline authentication policy that has been assigned to a security domain, the default offline authentication policy is automatically assigned to the security domain.

    Before deleting the default offline authentication policy, you must first designate another offline authentication policy as the default.

    1. Click the offline authentication policy that you want to delete.

    2. From the context menu, click Delete.

    3. Click OK.

    Change the default offline authentication policy

    Each deployment has a default offline authentication policy that is assigned to all new security domains. To designate a different policy as the default, edit the policy that you want to set as the default.

    1. Click the policy that you want to set as the default.

    2. From the context menu, click Edit.

    3. Select the Default Policy checkbox to designate the new policy as the default policy for the deployment. This policy is then applied to all security domains that are configured to use the default policy.

    4. Click Save.