Authentication Methods for Cloud Authentication Service Users

An authentication method is a credential a user provides or an action a user performs to prove his or her identity. This topic describes the methods used for multifactor authentication (MFA) that you can make available to users who are in identity sources that are configured for the Cloud Authentication Service.

The following methods can be used to access resources protected by the Cloud Authentication Service and Authentication Manager:

The following methods can be used to access only resources protected by the Cloud Authentication Service:

Authentication Manager Integration

You can expand the number of resources you protect and the authentication options you make available to users by integrating Authentication Manager with the Cloud Authentication Service. For more information, see Connect SecurID Authentication Manager to the Cloud Authentication Service (Authentication Manager 8.4 Patch 4 or later), Enable SecurID Authenticate App Users to Access Resources Protected by SecurID Authentication Manager (Authentication Manager 8.4 Patch 3 and earlier), and Enable SecurID OTP Users to Access Resources Protected by the Cloud Authentication Service.

FIDO

SecurID supports the following FIDO-certified third-party authenticators:

SecurID supports FIDO authenticators for both primary (for example, the user is prompted to sign in with a FIDO authenticator instead of entering a password after entering a user ID) and additional authentication (for example, after entering a user ID and password, the user is prompted to sign in with a FIDO authenticator).

FIDO2 security keys, Windows Hello, and Android phone can be used for primary authentication and additional authentication. U2F security keys can be used for additional authentication. For a list of system requirements for FIDO authenticators, see Cloud Authentication Service User System Requirements.

Note: The Cloud Administration Console dashboard displays the total number of users in your deployment with third-party FIDO authenticators. This count includes users with SecurID-branded Yubico security keys.

FIDO Registration

Users must register their FIDO authenticators before they can use them for authentication. Registration happens in one of two ways for security keys:

  • The first-time user clicks an icon for a protected application, enters a username and identity source password, connects the FIDO authenticator, and, if required, taps the key. Subsequent authentications do not require a password. This is the default registration method.

  • The user goes to My Page to register the FIDO authenticator. Users authenticate to My Page according to the access policy protecting My Page. You can make My Page registration a requirement by enabling both My Page and FIDO authenticator registration in the Cloud Administration Console at Access> My Page. After both functions are enabled, users can no longer register FIDO authenticators during first-time authentication. For more information, see Manage My Page.

Registration for Windows Hello and Android phone can only be done in My Page.

Requirements for Using FIDO for Primary Authentication

Note the following requirements for using FIDO authenticators for primary authentication:

  • The FIDO authenticator must support user verification, such as a PIN or biometric. The user completes this verification as part of FIDO authentication.
  • Users must set up the FIDO user verification before accessing an application that requires FIDO authenticators.

  • Users must first register their FIDO authenticators with SecurID when accessing an application where FIDO authenticators are used for additional authentication, for example, a service provider or My Page. Then users can use FIDO authenticators as a primary authentication method.

  • FIDO authenticators can be used for primary authentication only in relying party deployments.

FIDO2 Certification

The Cloud Authentication Service is a FIDO2 Certified Server. The certification demonstrates compliance with the FIDO specification and ensures compatibility with any FIDO-certified security key.

As part of this certification, the Cloud Authentication Service checks the integrity of the security key response message during registration. If the response message is modified on its way to the Cloud Authentication Service, the registration is unsuccessful.

Additionally, the Cloud Authentication Service verifies the integrity and authenticity of FIDO-certified security keys listed with the FIDO Alliance Metadata Service (MDS). The Cloud Authentication Service rejects MDS-listed keys if detected as counterfeit or compromised.

SecurID OTP

SecurID OTPs employ a one-time, randomly generated number called an OTP, that is generated on a hardware or software authenticator. A Personal Identification Number (PIN) is often required. The OTP is time-based and must be used before it expires. These OTPs can be used to access resources protected by the Cloud Authentication Service or by authentication agents in Authentication Manager deployments.

Supported hardware authenticators and software authenticators can be assigned and managed in Authentication Manager. SecurID 700 hardware authenticators can be assigned and managed in the Cloud Authentication Service.

Server Description
Authentication Manager

Hardware and software authenticators that are managed and validated in Authentication Manager can be used to access resources protected by Authentication Manager or the Cloud Authentication Service (with integration).

Use the Security Console to manage these authenticators.

Note: SecurID OTPs that are managed in Authentication Manager can be used for primary authentication to access resources protected by the Cloud Authentication Service only in IDR SSO Agent and relying party (service provider) deployments.

See SecurID OTPs.

Cloud Authentication Service If your company does not have Authentication Manager, you can use the Cloud Administration Console to deploy SecurID 700 hardware authenticators to users to access resources protected by the Cloud Authentication Service. These authenticators are validated by the Cloud Authentication Service. See SecurID Hardware Authenticators .

Using SecurID 700 Hardware Authenticators for Offline Authentication

SecurID 700 hardware authenticators that are managed in the Cloud Administration Console can be used for offline authentication if your company deploys software for MFA Agent for Microsoft Windows version 2.1.1 or later or MFA Agent for macOS version 1.3 or later to users' computers. Users must complete this process to enable offline authentication:

  1. User registers or activates the SecurID 700 hardware authenticator with the Cloud Authentication Service and sets a PIN.

  2. User successfully uses the authenticator for online authentication. (The user's computer can access the internet or company network.)

  3. The MFA Agent downloads day files to the user's computer. The default is 15 files but this number can be configured on the Agent. These files contain the necessary information for offline authentication.

  4. User can now authenticate offline, using the same PIN plus OTP, without access to the internet or company network.

The authentication methods available for offline authentication depend on which authentication method the user last competed successfully while online. For example, if the user last completed authentication with SecurID 700 hardware authenticator, then that method will be available offline. If the user last completed authentication with a method other than SecurID 700 hardware authenticator, then Authenticate OTP will be available offline.

SecurID Authenticate OTP

Similar to SecurID OTPs, SecurID Authenticate OTP employs a one-time, randomly generated number called an OTP. This OTP is generated on a device where the SecurID app is installed. The OTP, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. These OTPs are valid for up to five minutes after they are generated and displayed on a user's device. The user is enrolled for this method automatically after device registration.

Protect Access to Authenticate OTP

You can require users to provide additional authentication to view the SecurID Authenticate OTP. This setting takes effect 24 hours after it is enabled or after the user restarts the app. The user must tap or click View OTP on the app home screen and authenticate before viewing the tokencode.

The first time the user taps or clicks View OTP, the app prompts the user to create a PIN that is only used for viewing the Authenticate OTP. The PIN must be numeric, contain 4-10 digits, and cannot contain repeating or consecutive numbers, for example, 1111 or 1234. You can configure the minimum PIN length. For instructions, see Configure Session and Authentication Method Settings.

The PIN applies to the SecurID Authenticate OTPs for all companies in the app. If users have multiple companies in the app, their minimum PIN length is the longest minimum PIN length of their companies.

On iOS and Android, if the user has set up biometrics, the app prompts the user to authenticate with a biometric (for example, fingerprint or Face ID) instead of using a PIN. The user can also choose to skip or cancel biometrics and enter the PIN. If the user fails biometrics or has not set up biometrics, then the app prompts the user to enter the PIN.

On Windows, the app prompts the user to authenticate with the PIN.

If the user enters an incorrect PIN five times, the PIN is locked and the user must reset the PIN. To reset the PIN, users must do the following:

  • On iOS or Android, the app prompts the user for device unlock credentials, such as a passcode. The user must set up device unlock credentials to reset the PIN.

  • On Windows, the app prompts the user to delete all companies that require authentication to view the OTP and then re-register those companies.

The user can authenticate to view the OTP with an online or offline device. However, if the user needs to reset the PIN on a Windows device, the user must be online. The user can reset the PIN online or offline on iOS or Android devices.

Integrated Deployments

If your company has deployed both SecurID and Authentication Manager 8.2 or later, you can integrate the two products so that users can authenticate with SecurID OTPs and SecurID Authenticate OTPs on the same RSA Authentication Agent. This integration affects only hardware authenticators that are managed in Authentication Manager.

Emergency Access Code

Emergency Access Code is for users who forget or misplace their registered authenticators.

If Emergency Access Code is enabled for offline use (My Account > Company Settings > Sessions & Authentication), the same 12-character alphanumeric code is generated for both online and offline use. If Emergency Access Code is disabled for offline use, an 8-character alphanumeric code is generated that can only be used when the user is online.

Users who are not enabled for offline authentication or who have not yet downloaded day files always receive an 8-character alphanumeric code that can only be used when the user is online.

Super Admins - See how to configure Emergency Access Code:

securid_watchthevideographic.png

Help Desk Administrators - See how to provide users with an Emergency Access Code:

securid_watchthevideographic.png

For detailed information, see:

Emergency Access Code for Online Access

Description
When to Use Emergency Access Code for Online Access If the user is able to sign in to the company network without the registered authenticator, you can give the user an Emergency Access Code to access resources protected by the Cloud Authentication Service.
Configuration Prerequisites

For primary authentication, Emergency Access Code can be used as a replacement for the FIDO authentication method in relying parties. You select a box to allow this replacement when configuring primary authentication for the relying party. See Add a Service Provider.

Similar to other SecurID additional authentication methods, Emergency Access Code must be configured and published in your assurance levels and access policies before it can be used for online additional authentication.

Note: SecurID recommends that you avoid adding Emergency Access Code to the High assurance level. Doing so will make Emergency Access Code available to your most sensitive applications.

User Experience for Online Access
  1. The user calls the Help Desk.

  2. The Help Desk Administrator finds the user on the Users > Management page in Cloud Administration Console and generates an Emergency Access Code .

    If offline Emergency Access Code is enabled for your company, the same OTP is generated for online and offline access.

  3. The Help Desk Administrator securely delivers the OTP to the user immediately and instructs the user to select Emergency Access Code from the list of available options during the next authentication.

  4. The next time the user is online and attempts to access the protected resource, the user selects Emergency Access Code and then enters the OTP.

    If a user types the OTP incorrectly, the number of allowed retries is configured in the Cloud Administration Console on the My Account > Company Settings > Session & Authentication page.

Lifetime for Online Access

After a user selects Emergency Access Code one time during authentication, Emergency Access Code becomes the user's default method until one of the following events occurs:

  • The OTP expires. Expiration is configured (1-7 days) on the Users > Management page. For instructions, see Enable Emergency Access Code for a User.

  • An administrator disables the OTP on the Users > Management page.

  • The user selects a different option during authentication, and that option becomes the new default.

Generate or disable Emergency Access Code for a user

See Manage Users for the Cloud Authentication Service .

Emergency Access Code for Offline Access

Description
When to Use Emergency Access Code for Offline Access A user can use Emergency Access Code to sign into a computer that is protected by the RSA MFA Agent for Microsoft Windows, even if the computer has no internet connection. If the computer has an internet connection, the same OTP can be used to access resources protected by the Cloud Authentication Service.
Configuration Prerequisites

Your deployment must meet these configuration requirements:

User Experience for Offline Access
  1. The user calls the Help Desk.

  2. The Help Desk Administrator finds the user on the Users > Management page in Cloud Administration Console and generates an Emergency Access Code.

    The same OTP is generated for online and offline access.

  3. The Help Desk Administrator securely delivers the OTP to the user immediately.

  4. The next time the user attempts to sign in to his or her Windows computer, the MFA Agent prompts the user to sign in and enter the Emergency Access Code.

Lifetime for Offline Access

The Emergency Access Code is created and downloaded to the user’s computer the first time the user successfully authenticates online through the MFA Agent to the Cloud Authentication Service. The tokencode becomes invalid after one of the following events occur:

  • The configured lifetime (1-30 days) has elapsed. You configure this setting on the My Account > Company Settings > Session & Authentication page. For instructions, see Configure Session and Authentication Method Settings.

  • The user has successfully authenticated, through the MFA Agent, using a method other than Emergency Access Code, to the Cloud Authentication Service. A new OTP is downloaded to replace the old one, beginning a new lifetime cycle.

The online expiration date may elapse before the offline expiration date. If this occurs and the user still needs online emergency access, you can regenerate the OTP and give it a new online expiration date. The offline expiration date remains valid and unchanged from the first time it is generated until it expires or until the user successfully authenticates with a different method. Also, the Emergency Access Code itself remains exactly the same if you click Generate Code, even multiple times, before the offline expiration date is reached.

Generate or disable Emergency Access Code for a user

See Manage Users for the Cloud Authentication Service .

Approve (Push Notifications)

When using Approve to access a cloud-protected resource, the user attempts to access the application and then receives a push notification prompting to tap a button on a registered device. When using Approve to access an agent-protected resource, the user enters a PIN before tapping a button on an Authenticate device. In both cases, the user can also tap an interactive notification on the device or on an Apple Watch or Android Wear watch paired to the device. The user must respond within one minute, otherwise the method times out and is considered a failed authentication. The user is enrolled for this method automatically after Authenticate device registration.

This method can be used to access resources protected by the Cloud Authentication Service or by authentication agents in Authentication Manager deployments.

Device Biometrics

Device Biometrics allows users to authenticate to applications using biometrics available on devices, such as, Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. Before using Device Biometrics, users must first set up biometrics on their devices. SecurID does not force users to do this.

To use Device Biometrics on Windows 10 PCs, Windows Hello must be enabled. Also, keep in mind that users can sign in using a Hello PIN.

When using Device Biometrics to access an agent-protected resource, the user must first enter a PIN before entering the biometric credential.

SMS OTP

SMS OTP is a six-digit code that SecurID sends to the user's phone in an SMS message when the user attempts to access an application. The OTP, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires three minutes after it is sent to the user. If it expires or the user does not receive it, the user can click Resend OTP. This method does not require device registration using the SecurID app.

When planning your available authentication methods, consider making SMS OTP available for emergency access when the user cannot use other methods, for example, when the user loses the SecurID Token or cannot locate the device used to register the SecurID app.

Users can use SMS OTP if these criteria are met:

  • SecurID has enabled this feature for your company.

  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).

  • A valid mobile phone number is stored for the user in the Cloud Authentication Service. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

For details on how SMS phone numbers are handled during identity source synchronization, see Identity Sources for the Cloud Authentication Service.

Note: SecurID® Federal does not support authentication with SMS Tokencode.

Voice OTP

Voice OTP is a six-digit code that SecurID provides by calling the user's phone when the user attempts to access an application. The OTP, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires three minutes after it is sent to the user. If it expires or the user does not receive it, the user can click Resend OTP. This method does not require a mobile device.

When planning your available authentication methods, consider making Voice OTP available for emergency access when the user cannot use other methods, for example, for users who do not have mobile phones or when the user loses the SecurID OTP.

Users can use Voice OTP if these criteria are met:

  • SecurID has enabled this feature for your company.

  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).

  • A valid phone number (landline or mobile) is stored for the user in the Cloud Authentication Service. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

For details on how Voice OTP phone numbers are handled during identity source synchronization, see Identity Sources for the Cloud Authentication Service.

Note: SecurID® Federal does not support authentication with Voice OTP.

LDAP Directory Password

The LDAP directory password is used for primary authentication and to register devices. LDAP directory passwords are managed within the LDAP directory server. User records are synchronized from the LDAP directory server to identity sources in SecurID. The Cloud Authentication Service must be able to reach your on-premise identity source for authentication to succeed.