in the past we used the standard windows agent with Authentication Manager in order to protect rdp access.
The use-case we had is that ONLY the first time a user enters his credentials and then the hardware or software tokencode. The next login user inserted ONLY the tokencode, without inserting again the AD domain password.
Now, we are moving to the RSA MFA agent in order to add push notification/approve functionality in the same use-case where users login in rdp to a windows machine.
My questions are:
1. We need every time to insert the domain password of the user before receive the push notification in the app? Or the MFA agent is able (like the standard agent) to cache the password of the user, so that the user has ONLY to insert the tokencode OR accept the approve notification (depends by the policy) in the app?
2. During the access, is it possible for the user to select the best solution for him to use, like selecting token or push or call?
- Cloud Auth
- Cloud Authentication
- Cloud Authentication Service
- Community Thread
- Forum Thread
- mfa agent
- rdp logon
- RSA SecurID
- RSA SecurID Access
- securid acess
- windows machines
I am part of product management driving next feature sets for MFA Agent and will be interested to understand your use cases and experience using MFA Agent for Windows. Please email me if you will be available for a quick call.
There is a also another way to get push/approve (with PIN), and even biometrics (with PIN): you can leverage new capabilities of Authentication Manager 8.4 (starting with P4).
You will have nothing to change from a windows authentication agent perspective, it will just work as-is.
I would suggest you to have a look to this. That could be a good way to get what you need, before transitioning to MFA agent when it will have the caching AD password feature.
Some details there: RSA® SecurID Access Release Notes for RSA Authentication Manager 8.4
We introduced this capability (approve) with AM 8.4 P4 and enhanced it (biometrics) with AM 8.4 P9