AM 8.4 Patch 9 and Biometrics
We have a deployment with AM 8.4 integrated with the Cloud Authentication service, using Approve and Tokencode methods.
We've upgraded to Patch 9 to be able to use Device Biometrics. After patch installation, we've modified the assurance level in Cloud to include Device Biometrics as first option and pushed the changes.
We're testing it, and following the documentation if we put and existing PIN we should be prompted for Biometrics or Approve... but we end getting an Approve.
Have we missed any step(s) to make this work?
- Cloud Auth
- Cloud Authentication
- Cloud Authentication Service
- Community Thread
- Forum Thread
- patch 9
- RSA SecurID
- RSA SecurID Access
Hi Jose - unfortunately the Patch 9 readme is somewhat incomplete in this regard (rework is in process).
Assuming biometrics has been added to your assurance level (first choice) and user has previously used the approve method you have a couple of options:
- if using the RSA SecurID Access Cloud Authentication System (CAS) for any browser-based applications, users have the option of choosing their additional authentication method. Whatever is chosen becomes their default method on any future authentication attempts.
- if only using the CAS for RSA SecurID Authentication Manager-protected resources (PIN+approve/biometrics) then you must temporarily delete the approve method from your assurance levels and have the user authenticate to the Authentication Manager-protected resource. This will cause the biometric method to be used and set as user's default method.
The fundamental problem is that the user cannot explicitly choose their additional authentication method in the PIN+ scenario. Note that new users do not have this problem as the first method in the assurance level configuration will be used as default. See How Assurance Levels Are Used During Authentication for more information.
Hope that helps,