Authenticator Registration

Users complete authenticator registration so that they can use the RSA Authenticate/RSA Authenticator app (registered on a phone, tablet, or desktop or PC), FIDO authenticator, or hardware token to authenticate to protected applications.

Registration binds the authenticator to the user. After registration, when the user needs to authenticate to an application, RSA prompts the user for methods that the user can complete, for example, Approve, SecurID Authenticate OTP, or Device Biometrics. Users who do not register a device using the RSA Authenticate /RSA Authenticator app are not presented with authentication methods that require the app.

SMS OTP, Voice OTP, and SecurID OTP credentials that are managed in Authentication Manager do not require this type of registration. SecurID 700 hardware OTP credentials that are managed in the Cloud Administration Console do require registration.

A user can register the following authenticators:

  • One iOS, Android, Windows, or macOS device with the RSA Authenticate/RSA Authenticator app

  • One of the following: an iOS, Android, Windows, or macOS device with the RSA Authenticate/RSA Authenticator app, or an iOS or Android device with a custom app developed by your company

  • One security key, Windows Hello, Android phone, or one FIDO using RSA DS100 authenticator

  • Up to five SecurID 700 hardware OTP credentials or RSA DS100 OTP credentials.

Note: A user cannot register a mobile device with both the Authenticate/Authenticator app and a custom app. Tell your users which app is available to them.

For more information, see:

Registration of iOS, Android, Windows, and macOS Devices

Users can register an iOS, Android, Windows, or macOS device using one of the following methods.

Registration Method Description
Use RSA My Page.

My Page is web portal that helps provide a secure way for users to register iOS, Android, Windows, or macOS devices using multifactor authentication and QR or numeric registration codes. Users sign into My Page on one device (for example, a computer), download the RSA Authenticate/RSA Authenticator app on another device (iOS or Android), scan a QR code, and complete an optional test authentication. Users can also manually enter a numeric Registration Code if they are unable to scan a QR code.

By default, My Page is disabled. When you enable it, you can also select an access policy that determines which users are allowed to use My Page and which authentication requirements they must satisfy to access the page. For more information, see Manage My Page
User enters an LDAP password as the Registration Code into the RSA Authenticate /RSA Authenticator app.

The user downloads the RSA Authenticate/RSA Authenticator app on a device (iOS, Android, Windows 10, or macOS) and enters the identity source email address, your Organization ID, and the identity source password (as the Registration Code) in the app.

You can use the Device Registration Using Password policy to restrict which users are allowed to complete device registration using this method. For more information, see Device Registration Using Password Policy.
User enters a Registration Code generated by the administrator. You use the Cloud Administration Console to generate a numeric Registration Code and then securely provide it to the user. The user downloads the RSA Authenticate /RSA Authenticator app on a device (iOS, Android, Windows 10, or macOS) and enters the user identity source email address, your Organization ID, and the Registration Code in the app. For more information, see Manage Users for the Cloud Authentication Service - Generate a Device Registration Code.

For a complete overview of the steps users perform to complete registration, see Registering Devices with the RSA Authenticate App. For rollout information, see Cloud Authentication Service Rollout to Users.

Registration and User or Authenticator Changes for iOS, Android, Windows, and macOS Devices

The following table summarizes how RSA handles registration with user or changes for iOS, Android, Windows, and macOS devices.

Situation How RSA Handles It
A user completes registration, deletes or uninstalls the RSA Authenticate/RSA Authenticator app, and then later needs to complete registration again on the same device. The user installs the RSA Authenticate/RSA Authenticator app again and re-registers the device without administrative action.

  • A user completes registration on one device and then gets a new device. The user needs to complete registration on the new device.

  • A user performs a factory reset on a registered device and wants to reinstall the app on the same device.

The user can delete the current device in My Page , and then complete registration. Or the administrator must delete the user's current device before the user can complete device registration again.

  • An existing user who has completed device registration on the device no longer needs the device and gives the device to a new user.

  • An existing user who has completed device registration on the device no longer needs the device, performs a factory reset, and gives the device to a new user.

  1. If necessary, the existing user deletes the device in My Page or deletes the company in the app.

  2. The new user installs the app and completes device registration without administrative action.

Registration with Multiple Accounts for iOS, Android, Windows, and macOS Devices

An individual user can use the RSA Authenticate/Authenticator app on a single registered device to authenticate to resources protected by up to 10 different accounts.

For example, a user who is a contractor for both Organization A and Organization B can use a single device to perform step-up authentication to access both organizations. The user registers the device for one organization and uses the My Credential screen to add additional credentials as needed.

An administrator might use a single device for testing the behavior of the RSA Authenticate /RSA Authenticator app for a organization's testing environment and production environment. If each environment has a unique Organization ID, the administrator adds a credential for each organization. Or if each environment uses the same Organization ID but has a unique user ID, the administrator adds an account for each user ID.

If an administrator for one credential uses the Cloud Administration Console to delete a user's registered device, the RSA Authenticate /RSA Authenticator app on the user's device continues to work normally for any other credential. The activity from one credential does not affect the app behavior for other credentials.

Registration of FIDO Authenticators

RSA supports the following FIDO authenticators:

For FIDO authenticators, registration happens in one of two ways:

  • The first-time user clicks an icon for a protected application, enters an identity source password, connects the FIDO authenticator, and, if required, taps the authenticator. Subsequent authentications do not require a password. This is the default registration method and is only available for security keys.

  • The user goes to My Page to register the FIDO authenticator. Users authenticate to My Page according to the access policy protecting My Page. You can make My Page registration a requirement by enabling both My Page and FIDO authenticator registration in the Cloud Administration Console at Access > My Page. After both functions are enabled, users can no longer register FIDO authenticators during first-time authentication.

For a list of supported authenticators and environments, see Cloud Authentication Service User System Requirements.

Registration and User or Authenticator Changes for FIDO Authenticators

The following table summarizes how RSA handles registration with user or authenticator changes for FIDO authenticators.

Situation How RSA Handles It
A user registers a FIDO authenticator and then loses the authenticator. The administrator deletes the user's lost authenticator from the Cloud Authentication Service, or the user deletes it using My Page. The administrator gives the user a new authenticator to register.
A user registers a FIDO authenticator, no longer needs it, and gives it to another user. The administrator deletes the user's authenticator or the user deletes it using My Page. The new user must re-register the authenticator.

Registration of SID 700 Hardware OTP Credentials

Users can activate or register their SID 700 hardware OTP credentials using My Page. For more information on deploying these credentials, see SecurID Hardware Authenticators .

Registration of RSA DS100 FIDO and OTP Credentials

Users can register their RSA DS100 FIDO and OTP credentials using My Page. For more information, see RSA DS100 Hardware Authenticator.