RSA SecurID Access Release Notes for the Cloud Authentication Service and RSA Authenticate App
For additional information, see:
RSA SecurID Access Product Release Notes, a portal to all release notes for the Cloud Authentication Service, RSA Authentication Manager, authentication agents, and token authenticators.
RSA Link, to access all RSA SecurID Access product documentation.
The April 2021 release of the Cloud Authentication Service includes the following feature.
In email templates used for sending targeted device registration and emergency access emails, the signature field has been expanded to allow up to 2000 characters. For instructions on configuring emails, see Configure Email Notifications.
Support for Passwordless Authentication Through the MFA Agent 2.1 for Microsoft Windows
A modern, passwordless sign-in experience enables the dynamic workforce to be more productive while protecting the organization’s critical data wherever the user may be. This update to the Windows agent enables passwordless authentication to Windows 10 laptops and desktops using a FIDO2 security key with a USB connector for both online and offline authentication. For more information, see RSA® Authentication Agent for Microsoft Windows Documentation.
On August 26, 2020, RSA announced that TLS 1.2 will be required for Cloud Authentication Service connections beginning on October 31, 2020. To provide additional time for customers to make necessary configuration changes, the date was moved to mid-April 2021. RSA will now enforce TLS 1.2 for all Cloud Authentication Service connections beginning on May 15, 2021. If you have not updated your connections to TLS 1.2, you must do so immediately to ensure uninterrupted connectivity. For details, see this advisory.
A customer reported that new users were unable to register FIDO Yubikey 2.0 tokens under certain circumstances. This problem has been fixed.
The March 2021 release of the Cloud Authentication Service contains the following new features.
Just-in-time user synchronization allows new users (for example, new hires) to immediately register authenticators with the Cloud Authentication Service without waiting for the daily identity source synchronization job to run. This release further enhances support for just-in-time use cases where on-boarding is initiated by the administrator rather than through user self-service. You can also use the Cloud Administration User Details API to add this functionality to your in-house tools. For example, this feature is helpful when your IT Help Desk generates a one-time mobile registration code or manually adds the user’s mobile number for SMS Tokencode delivery. For more information, see View User Information.
A new Cloud Administration REST API can provide your identity, security operations, and incident response teams with visibility into users who exhibit anomalous behavior in your organization based on users’ access patterns. Your teams’ ability to query through this API provides rich identity context for detection (threat hunting), remediation, or forensics exercises. For more information, see the Cloud Administration Anomalous Users API.
The Cloud Administration Retrieve License Usage API can now retrieve the license information for the current month and previous 12 months. This information includes number of MFA licenses used, number of users with third-party FIDO authenticators, number of SMS and Voice tokencodes sent, and number of active users. Use this information to monitor for license compliance. For details, see Cloud Administration Retrieve License Usage API Version 2.
As of March 16, 2021, the Cloud Administration Console no longer supports Internet Explorer. For an up-to-date list of supported browsers, see Supported Browsers for the Cloud Administration Console.
|NGX-58711||The documentation now clarifies how Approve authentication works when the user's device is locked and unlocked. For more information, see Configure Device Unlock for Approve.|
|NGX-56630||Two User Event Monitor messages were displayed for one unsuccessful RSA RADIUS authentication attempt with Authenticate Tokencode, and the attempt counted twice against the lockout count. The issue has been fixed.|
Problem: In the Cloud Administration Console, on the User Management page, the new option to Include users not yet synchronized to the Cloud Authentication Service in your search. Exact matches only fails by showing "No Result Found" if just-in-time synchronization is disabled on the My Account > Company Settings > Company Information page. This problem occurs even if the administrator correctly typed the email address of a valid user.
Workaround: If you want to use this new feature, enable just-in-time Synchronization on the My Account > Company Settings > Company Information page.
The February 2021 release of the Cloud Authentication Service contains the following features.
Configured SAML applications can assign entitlements dynamically based on the business context, such as the user role, as included in the SAML assertion. In the SAML authentication response, the Cloud Authentication Service can send the constant multivalue attributes that you define, in addition to user attributes from the identity source, to SAML applications. For instructions, see Configure Advanced Settings for a SAML Connection.
You can install RSA MFA Agent 1.2 for macOS on Intel ® computers running macOS Big Sur (11.1). The agent also provides emergency access for users to sign in to their offline computers when their primary authenticator is misplaced or unavailable. You can customize the agent by disabling MFA for all unlock situations or for up to 12 hours, and by configuring the number of unsuccessful offline authentication attempts allowed with Authenticate Tokencode. For more information, see RSA MFA Agent for macOS.
The January 2021 release of the Cloud Authentication Service includes the following features.
The certificate used to sign the identity router virtual appliance .ova files expires on January 31, 2021. If you already downloaded an .ova image and have not yet deployed it, you must download the new .ova file (RSA_Identity_Router-188.8.131.52.7.ova) from the Cloud Administration Console as a replacement. The new .ova file will be available from the Cloud Administration Console on January 26, 2021. For instructions, see Obtain the Identity Router Image.
Your existing analytics tools can now discover trends in RSA SecurID Access product usage and registered authenticator patterns by using a REST API that can access the historical data. You can easily obtain the number of active users for the current and previous months, which can help you optimize product use, accurately forecast future needs, plan your budget, and meet compliance requirements. For more information, see Cloud Administration Retrieve License Usage API.
The Identity Confidence dashboard displays a list of the most anomalous users within your organization and provides insights into their behavior based on access patterns. Use this dynamic list to investigate and remediate potential access risks to your organization. For instructions, see View Risk Analytics and Track Behavior for a User.
In the Cloud Administration Console you can now find users who are not yet synchronized and automatically add them to the Cloud Authentication Service. This feature is convenient for finding new users or users who have not previously authenticated. Immediately after the user is added, you can manage that user by performing any administrative operation such as updating the user's SMS phone number or generating a registration code. On the Users > Management page, just type the user's email address and click the prompt. For more information, see View User Information.
Request a Cloud Authentication Service Account Directly from the Security Console in RSA Authentication Manager
You can provision Cloud Authentication Service deployment accounts easily and on-demand from the RSA Authentication Manager (8.5 or later) Security Console without involving RSA Sales or Customer Support. This self-service feature allows you to more fully realize the value of your existing Authentication Manager investment and accelerate the time to value by reducing cost, time, and data-entry errors associated with provisioning new accounts. For more information, see Request a Cloud Authentication Service Account.
RSA Authentication Manager Provides Emergency Failover When the Cloud Authentication Service Cannot be Reached
Authentication Manager will be able to act as an on-premises failover when users present an RSA SecurID tokencode and Authentication Manager cannot reach the Cloud Authentication Service for validation. This feature ensures high availability to on-premises mission critical applications protected by RSA SecurID agents. For more information, see RSA Authentication Manager Secure Proxy Server for the Cloud Authentication Service.
Known browsers that are unused for more than 90 days are removed from users’ list of known browsers. If the Remember this Browser option remains enabled in the Cloud Administration Console on the My Account > Company Settings page, these users will again be prompted to remember the browser. Further, users might be prompted to re-authenticate as required by the configured access policy the next time they attempt to access a protected resource using a previously known browser. In the Cloud Administration Console, Help Desk Administrators can now view separate lists for a user’s registered devices and known browsers on the Users > Management page. Click an arrow to reveal a list of Known Browsers that have been used within the past 90 days.
|NGX-57261||Documentation for the Cloud Administration Authenticator Details API is now updated to reflect that the Last Used On field no longer appears on the User Management page in the Cloud Administration Console.|
|NGX-57044||Some customers were unable to deploy the identity router version 184.108.40.206.6 in certain Amazon Web Services regions. This problem has been fixed.|
|NGX-55454||A customer experienced UI issues in the Cloud Administration Console due to a problem with the RSA Authentication Manager connection setup. This issue has been resolved and improvements made to prevent this from recurring.|
The documentation has been updated to reflect that custom portal settings cannot be used in combination with standard portal settings. The Login Page, Portal Page, and Error Page settings can be used only with the custom portal.
The documentation has been updated to clarify how access policies can control the access to applications after users sign in to the RSA SecurID Access Application Portal. The Portal Multifactor Authentication Policy can require additional authentication to portal. If the configured access policies do not allow a user to access any applications in the portal, the user can still sign into the portal, but no applications will be visible.
In RSA SecurID Authenticate 3.7 for iOS, the following issue has been fixed.
|NGX-56182||Previously, when Dark Mode was enabled on the user's phone, text the user typed into the app could not be read because it appeared as white against a white background. This problem has been fixed. Now the background turns black so the white text is clearly visible.|
RSA SecurID Authenticate 3.7 App for Android contains:
A QR code scan icon on a new tab that is convenient for adding user accounts after device registration.
Miscellaneous bug fixes
In the coming months, RSA will improve security by enforcing the use of Transport Layer Security (TLS) 1.2 or greater encryption for all communication from clients (including identity routers, RSA Authentication Manager, agents, and proxies) to the Cloud Authentication Service. This TLS 1.2 enforcement change is scheduled for mid-April 2021. Before TLS 1.2 rolls out, all customers with RSA MFA Agent for Microsoft Windows 1.1 or 1.2 who expect to use emergency offline authentication must update their agents to the latest 1.2.1 or 2.0.x version to support TLS 1.2.
If offline authentication is enabled for your users and you do not upgrade the agents, the downloaded day files will not be updated on each agent and offline authentication will stop working in mid-April 2021. TLS 1.2 does not affect users’ ability to perform online authentication.
If you are using a proxy to proxy traffic from clients to the Cloud Authentication Service, the proxies must support TLS 1.2.
In the November release, the identity router image available for download is based on the SLES 12 SP5 operating system. If you download and deploy this new identity router image, be aware of the following:
Certificates and keys you upload for SSO SAML applications and RSA SecurID Access Application Portal (domain certificate) in the Cloud Administration Console must each have a minimum key length of 2048 bits.
Signature algorithms RSA\SHA1 (rsa-sha1) and DSA\SHA1 (dsa-sha1) are no longer supported for signing SAML assertions for SAML applications in the RSA SecurID Access Application Portal.
If you choose not to download and deploy the new identity router image, you do not need to take further action. Identity routers will be updated according to the schedule provided in these Release Notes. These updates are software only and do not update the operating system to SLES 12 SP5.
RSA will publish further guidance related to upgrading existing identity routers to SLES 12 SP5 in the coming weeks.
This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule. Note that starting in August 2020, identity router updates are being released independently from Cloud Authentication Service updates.
ANZ, US: 12/3/2020
|Updated identity router software is available to all customers.|
|Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.|
|3/20/2021||If you postponed the default date, this is the last day when updates can be performed.|
Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.
The new identity router software versions are:
As part of continuous platform upgrades and improvements, this release includes security updates to ensure that the Cloud Authentication Service and identity router are safe from security holes and vulnerabilities. RSA stays on top of security best practices by including strong, FIPS 140-2-compliant encryption modules and by hardening operating systems. Such practices reduce the compliance burden for your company.
You can now view the total number of active users for the current and previous months using the Cloud Administration Console Dashboard. You can also collect usage data through the Cloud Administration Retrieve License Usage API for external trending analysis. Use this information to optimize your product usage, accurately forecast future needs, and meet compliance requirements. For more information see Usage Information.
You can disable the Remember This Browser prompt that appears during step-up authentication. After you disable it, users are never prompted to click Remember This Browser. For configuration instructions, see Configure Company Information and Certificates.
The Identity Confidence Dashboard now displays a graph that allows you to see a user's Confidence scores over a period of time. The graph helps you understand:
Any trends in anomalous behavior for an individual user benchmarked against the behavior of all users.
The top contributing factors that pulled the score down for each access attempt where the user's identity confidence score was determined to be low in relation to the Confidence Threshold. The Confidence Threshold is calculated based on information collected from all users within your company.
For more information, see View User Risk Analytics and Track User Behavior Over Time.
|NGX-54086||The embedded identity router was first registered to an account in the Cloud Authentication Service. After the customer changed the registration to a different company account, publishing failed because the new company name started with the same characters as the old company name. This problem has been fixed.|
|NGX-54035||In a deployment where two identity providers were configured for Integrated Windows Authentication (IWA, and one Audience ID was a substring of the other Audience ID, both IWA links sent users to the same IWA server rather than to their configured server. This problem has been fixed and users are now directed to their configured server.|
|NGX-51657||The RSA SecurID Access Application Portal did not prompt users for additional authentication under unusual environmental conditions. This problem has been fixed.|
RSA SecurID Authenticate 3.6 app for iOS contains the following updates and improvements:
User Event Monitor Displays Factors Contributing to Low Identity Confidence ScoreUser Event Monitor Displays Factors Contributing to Low Identity Confidence Score
The User Event Monitor in the Cloud Administration Console now provides you with enhanced visibility into user behavior. If a user's identity confidence score is low (below the Confidence Threshold), the monitor lists up to four factors that most contributed to lowering that user's score. The factors are listed in order from most impactful to less impactful. For example:
This improvement can help administrators and security analysts to better understand and troubleshoot risk-driven decisions. For more information, see View a User's Confidence Score in the User Event Monitor.
You can now copy the authentication endpoint URL directly from the Cloud Administration Console and paste it in a secure place for delivery to your web client developers. This feature reduces the chance of error when retrieving the URL. For instructions, see Copy the RSA SecurID Authentication API REST URL.
RSA MFA Agent 1.1 for macOS now includes the following features:
Users with registered devices can use Device Biometrics as an authentication method.
Users can test authentication with the RSA Agent Control Center.
For more information, see RSA MFA Agent for macOS.
RSA is changing how it communicates updates for the RSA SecurID Access Cloud Authentication Service, including monthly maintenance notifications and service incidents. The new status page, status.securid.com, brings our current and historical uptime status together with a digest of all past and present incidents and associated details. RSA will also be able to better communicate updates throughout the course of any active incident.
You will now be able to select which notifications you want to receive based on your region, reducing unwanted email updates. Most current subscribers will be automatically subscribed to the new notification service. However, all current subscribers who want to continue to receive service notifications for the Cloud Authentication Service should take the following steps to confirm that they are subscribed correctly:
To subscribe or to check your subscription settings:
Go to status.securid.com.
Click Subscribe to Updates.
Enter your email address and click Subscribe.
Status.securid.com is now live. See our advisory for more details about status.securid.com. RSA will continue to send service and maintenance notifications from our existing Service Notifications space through October 30, 2020.
|NGX-53653||Previously, a customer was unable to add new Amazon Web Services applications for SSO when specific values were added in attribute extensions. This issue has been fixed.|
|NGX-53473||In the Cloud Authentication Service, phone number validation has been updated to incorporate recent changes in phone numbering systems worldwide.|
|NGX-52155||Documentation for the Cloud Authentication Service has been updated to make it easier to delete an identity source that is being used by a custom access policy or the Device Registration Using Password Policy. For instructions, see Delete an Identity Source from the Cloud Authentication Service.|
In the Cloud Administration Console, when you update the FIDO host name, a log event is now created so you can easily identify why the publish status changed.
In a particular scenario, the identity router upgrade date scheduled by the customer was not honored and the identity router was upgraded prior to the scheduled date. This problem has been fixed.
|NGX-53081||Previously, some users who tried to register a FIDO security key were not prompted to name the key and save it. Also, some users were unable to delete the security key on the first attempt. These problems have been fixed.|
RSA SecurID Authenticate 3.5 app for Windows contains the following updates and improvements:
Security enhancements using the Microsoft Cryptography API.
Note: Users who upgrade to this version from 3.2 or earlier must delete all previous accounts and re-register.
Actions Required for Upcoming Identity Router and RSA SecurID Authenticate App Security ImprovementsActions Required for Upcoming Identity Router and RSA SecurID Authenticate App Security Improvements
To strengthen the overall security of RSA SecurID Access, RSA is rolling out significant improvements that affect all identity routers and the RSA SecurID Authenticate app (iOS and Android). See this advisory for information on these improvements. To ensure uninterrupted service and avoid downtime, you must perform the following actions.
|Action||Begin Action||End Action|
|After RSA migrates database data to FIPS-supported algorithms, the Cloud Administration Console will display a Changes Pending message. Please ignore this message as a publish is not required. This status will disappear after your next regular publish.||No customer action needed. EMEA and ANZ regions: 8/29/2020 US region: 9/12/2020|
You must upgrade RSA SecurID Authenticate 2.x for Android or iOS to the latest version by October 12, 2020. See this advisory for details.
|Immediately||October 12, 2020|
You must update all identity routers to the August release before the next identity router upgrade date (October 31, 2020):
After October 31, RSA SecurID Access will enforce TLS1.2 for all connections. Versions of TLS earlier than 1.2 will no longer work.
To ensure uninterrupted connectivity, make sure your identity routers are running the latest software version (220.127.116.11) prior to October 31. For instructions, see Update Identity Router Software for a Cluster.
If you are using a proxy server you must ensure it also supports TLS 1.2 and later.
|Follow your normal upgrade schedule.||October 31, 2020|
Note: A new identity router that takes advantage of hardened security and the latest operating system patches using SLES version 12 SP5 is coming in November. Watch future notifications for details.
RSA improved integration options for customers with SAML-based applications who cannot use the SAML Authentication Context attribute to assign an access policy based on a condition such as the user group and/or resource being accessed. These customers now have increased flexibility when assigning policies by configuring multiple service provider (SP) connections, each with its own unique identifier. For more information, see Add a Service Provider.
Customer administrators can now securely login to the Cloud Administration Console through federation by extending their identity provider (IdP). Administrators who are using a common access card (CAC) and personal identity verification (PIV) can continue to use the Federal IdP infrastructure to perform a federated login to the Cloud Administration Console. For instructions, see Configure Session and Authentication Method Settings.
Previously, resetting an Active Directory password from the custom application portal using the resetpw API did not enforce the Active Directory password policy. This problem has been fixed.
|NGX-50457||The Cloud Administration User Event API produced incorrect output. In the row showing which authentication method was used to access an application, the Application column showed the type of device used to complete the authentication method rather than the actual application being accessed. This problem has been fixed and this column no longer shows the device type.|
|NGX-50062||In the Cloud Administration Console, a customer was unable to successfully Publish Changes. Instead, the request continued to load and change to Publish Pending. This problem was traced to a misconfiguration issue. For instructions to prevent this problem from occurring, see Add an Identity Source for the Cloud Authentication Service.|
This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule. Note that starting in August 2020, identity router updates will be released independently from Cloud Authentication Service updates.
|Updated identity router software is available to all customers.|
9/26/2020 (EMEA, ANZ)
|Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.|
|10/31/2020||If you postponed the default date, this is the last day when updates can be performed.|
The new identity router software versions are:
Android and iOS Users Must Upgrade RSA SecurID Authenticate 2.x App the Latest Version by October 12, 2020
RSA is continually enhancing RSA SecurID Access by adding new features and keeping up-to-date with security best practices. To keep up with these changes, users with RSA SecurID Authenticate 2.x for Android or iOS must upgrade to the latest version available in the Apple App and Google Play stores by October 12, 2020. After this date, 2.x users will not be able to authenticate. RSA strongly recommends that you upgrade users as soon as possible to avoid any interruptions or downtime. For more information, see this advisory.
The RSA Cloud Administration APIs now include support for FIDO. Customers and RSA Ready technology partners can enable their commercial and custom applications to enroll FIDO Tokens leveraging these APIs in addition to using RSA SecurID Access for FIDO-based authentication. For more information, see Cloud Administration FIDO Authenticator API.
RSA has redesigned the RSA SecurID Access Application Portal with the same modern look-and-feel that users already see in the web authentication and My Page screens. Improvements include an updated visual design, accessibility improvements and improved ability to display custom customer logos. For example:
If your Cloud Authentication Service deployment was integrated with RSA Authentication Manager and it allows users with RSA SecurID Tokens to access cloud-protected resources, you can now delete unused connections. Deleting prevents you from receiving unnecessary logging errors.
Note: Use this feature only after you have updated the identity router software to version 18.104.22.168.5.
For more information, see Delete the Connection Between the Cloud Authentication Service and RSA Authentication Manager.
|NGX-50436||In the Cloud Administration Console, informational text and online Help for High Availability Tokencode were corrected.|
|NGX-48685||An identity router configured with one network interface was unable to connect to RSA Authentication Manager after reboot unless an administrator clicked Update IDR Setup Configuration on the Identity Router Setup page. This problem has been fixed.|
|NGX-48520||In the Cloud Administration Console, the Last Used On field was removed from the User Management page because it did not apply to mobile devices.|
|NGX-47885||The browser autocomplete feature is no longer enabled for text fields on the RSA SecurID Access Application Portal and the Identity Router Setup Console.|
Previously, disabling Identity Confidence Collection in the Cloud Administration Console on the My Account > Company Settings > Company Information page broke access policies that used the Trusted Network conditional policy attribute and were used by applications configured for single sign-on (SSO). This problem has been fixed.
|NGX-44842||In the Cloud Administration Console, the user interface design and Help text have been improved to make it easier to configure user attributes when you add an identity source.|
|NGX-44332||The identity router can now communicate with its software update repositories over TLSv1.2.|
RSA SecurID Authenticate 3.3 app contains modifications that are required for future app releases. To ensure that Windows users with earlier versions have the latest product improvements, these users must upgrade the app to version 3.3 to avoid re-registration.
RSA MFA Agent 2.0 for Microsoft Windows leverages the Cloud Authentication Service and RSA Authentication Manager 8.5 to provide strong multifactor authentication to users signing into Windows, both online and offline. The MFA Agent provides multiple authentication options for users, along with features that improve user productivity and security during Windows sign-in. This update contains many new features, including:
Authentication to both Cloud Authentication Service and RSA Authentication Manager 8.5. You can choose from the supported multifactor authentication options based upon your business needs.
Offline authentication available for both RSA Authentication Manager and Cloud Authentication Service users.
REST-based agent that addresses security and compliance needs with strong crypto algorithms.
Enhanced load balancing and failover with additional administrative controls and new options for customizing the user sign-in experience.
For complete information on new features, see RSA MFA Agent 2.0 for Microsoft Windows Release Notes.
RSA also offers an MFA Agent for the macOS. For complete documentation, see RSA MFA Agent 1.0 for macOS.
RSA SecurID Authenticate 3.6 for Android app now supports face recognition. Devices must meet the Android security specifications and have a strong rating to allow use of Biometric authentication (face recognition and fingerprint) within the Authenticate app. For example, the Pixel 4 device supports strong facial recognition technology. See https://source.android.com/security/biometric/measure for more information. Users should check with their device vendors to confirm if their devices are compatible.
This release also contains miscellaneous bug fixes and improvements.
RSA is providing a new API to help you integrate your existing tools and gain visibility into your company’s license and usage information, which is important for planning and budgeting your future license upgrades. The Cloud Administration Retrieve License Usage API allows administrators to access the number of MFA licenses used, the number of users with third-party FIDO authenticators, and the total number of SMS and Voice Tokencodes sent for the current month. You can use this data for external trending analysis. For more information, see Cloud Administration Retrieve License Usage API.
Under certain circumstances, users who authenticated through a relying party had to press the tab key twice in order to move the cursor to the password field. This problem has been fixed.
|NGX-47434||The documentation has been updated to indicate that users who sign in to My Page are automatically synchronized to the Cloud Authentication Service. For details, see Just-in-Time Synchronization.|
|NGX-44932||Previously, there was no way to delete a certificate chain from the Company Settings > Company Information page. Now you can click Delete to delete the certificate chain.|
RSA SecurID Authenticate 3.5 app for iOS and Android contains miscellaneous fixes and improvements. On Android devices, this update is qualified with Android OS 6.x and later.
The app includes Authenticate Key, a FIDO-based authenticator that can be used for primary and additional authentication. This is a Technical Preview feature that is disabled by default. If you are interested in enabling this feature, contact RSA.
|NGX-40499||The copyright for the Authenticate app has been updated to 2020.|
Removing PIN protection from the iOS app in a registered device with multiple PIN protected accounts no longer causes other PIN-protected accounts to re-lock immediately after authentication.
|NGX-44181||An Android device that had not been jailbroken incorrectly displayed a noncompliance message. This problem has been fixed.|
Problem: When users install the iOS app, a message indicates that Bluetooth must be turned on to use Authenticate Key.
Workaround: Users who do not plan to use Authenticate Key should ignore this message.
The June 2020 release includes the following features and benefits.
Customers with RSA SecurID Access Enterprise or Premium Edition can now use YubiKey for RSA SecurID Access and other third-party FIDO authenticators without purchasing additional licenses. Previously, these customers had to purchase a separate MFA license for each user to use these authenticators. FIDO authenticators provide a positive user experience and help prevent man-in-the-middle and phishing attacks for FIDO-enabled authentication use cases.
The RSA SecurID Authentication API now supports FIDO/FIDO2 for authentication. Along with other RSA-supported MFA options, customers and RSA Ready technology partners can enable commercial and custom applications to use RSA SecurID Access for FIDO authentication. For more information, see RSA SecurID Authentication API Developer's Guide.
Customers can now easily access their current Cloud Authentication Service license and usage information in the Cloud Administration Console for compliance and operational needs. For more information, see Cloud Administration Console Dashboard.
|NGX-45622||When entering Authenticate Tokencode during authentication, RADIUS client users who enter a space after four digits (as displayed in the RSA SecurID Authenticate app) are now able to successfully authenticate.|
|NGX-44853||The documentation now explains that when you upload a company logo to My Page, that logo can also be used for the relying party sign-in page and on additional authentication screens presented to users. See Adding a Custom Logo to Your Cloud Authentication Service Deployment.|
The May 2020 release includes the following features and benefits.
Users can use Emergency Tokencode to sign in when they misplace or lose their FIDO authenticator. Emergency Tokencode allows them to access SaaS and web applications that are protected using FIDO as a primary authentication method. For more information, see FIDO.
Securely resetting Cloud Administration Console passwords is even better. Now, password resets must be completed within two hours of requesting the password reset link.
Previously, the User Event Monitor email autocomplete did not show events for users with apostrophes in their email addresses, forcing users to enter the full email address with apostrophes in the filter box in order to see events. This problem has been fixed.
When just-in-time synchronization was enabled, users who attempted to authenticate during an automatic or manual identity source synchronization might become disabled when they should have remained enabled. This problem no longer occurs.
|NGX-22987||Microsoft Azure Active Directory provided the email address instead of the UPN in authentication requests for guest users. This problem has been fixed. Now the Cloud Authentication Service takes the user identity from the email address if the UPN is omitted.|
Problem: When entering Authenticate Tokencode during authentication, RADIUS client users who enter a space after four digits (as displayed in the RSA SecurID Authenticate app) are unable to successfully authenticate.
Workaround: Do not enter the space during authentication.
For release notes prior to May 2020, see Release Notes Archive - Cloud Authentication Service and RSA SecurID Authenticate Apps.