Action Required for Upcoming Identity Router and RSA SecurID Authenticate App Security Improvements
To strengthen the overall security of RSA SecurID Access, RSA is rolling out significant improvements that affect all identity routers and the RSA SecurID Authenticate app (iOS and Android). Changes include:
Improving the strength of our database encryption by using Federal Information Processing Standards (FIPS)-supported algorithms in the Cloud Authentication Service.
Forcing the use of Transport Layer Security (TLS) 1.2 or greater encryption for all communication from the identity routers to the Cloud Authentication Service.
Identity routers upgraded to SUSE Linux Enterprise Server (SLES) version 12 SP5 hardened to Security Technical Implementation Guide (STIG) standards.
To ensure uninterrupted service and avoid downtime, you must take action by the following dates.
Event & Action
After RSA migrates database data to FIPS-supported algorithms, the Cloud Administration Console will display a Changes Pending message. Please ignore this message as a publish is not required. This status will disappear after your next regular publish.
No customer action needed. EMEA and ANZ regions: 8/29/2020 US region: 9/12/2020
The RSA SecurID Authenticate app version 2.x will no longer work for iOS or Android. Users must upgrade to the latest version in order to authenticate. See the advisory for details.
October 12, 2020
You must update all identity routers to the August release (version 184.108.40.206.5 or higher for on-premises identity routers and RSA_Identity_Router 220.127.116.11.6 or higher for Amazon Cloud) before the last identity router upgrade date (October 31, 2020). After October 31, RSA SecurID Access will enforce TLS1.2 for all connections. Versions of TLS earlier than 1.2 will no longer work. To ensure uninterrupted connectivity, make sure your identity routers are running at least software version 18.104.22.168.8 prior to October 31. For instructions, see Update Identity Router Software for a Cluster. If you are using a proxy server you must ensure it also support TLS 1.2 and later.
Follow your normal upgrade schedule.
October 31, 2020
Note: A new identity router that takes advantage of hardened security and the latest operating system patches using SLES version 12 SP5 is coming in November. Watch future notifications for details.
For additional documentation, downloads and more, visit the RSA SecurID Access page on RSA Link.
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.