Configure Session and Authentication Method Settings

Configure settings that affect your entire Cloud Authentication Service deployment:

Values in minutes must be a number between 1 and 99,999. For seconds, the number must be between 1 and 300.

Note: After you save changes, click Publish Changes to activate them.

Before you begin

You must be a Super Admin for the Cloud Administration Console.

Configure Cloud Administration Console Sessions

SecurID® Federal deployments impose a limit of three simultaneous Cloud Administration Console sessions for an administrative account. SecurID commercial deployments do not enforce a limit.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.
  2. In the Session Duration (minutes) field, enter the maximum number of minutes an administrator can stay signed into the Cloud Administration Console before being prompted to sign in again. The default is 720 minutes.
  3. In the Inactivity Timeout (minutes) field, enter the maximum number of minutes that the sign-in session can remain idle before the system ends the session. The default is 15 minutes.

Configure Authentication for the Cloud Administration Console

Primary authentication is required when administrators initially attempt to access the Cloud Administration Console. Administrators must either enter their console account passwords or authenticate through a third-party identity provider. When a third-party identity provider is used, only SP-initiated SAML 2.0 is supported . The subject name set by the third-party provider in the SAML Assertion must match an Administrator Username configured in the Cloud Administration Console. The match is case-insensitive.

You can also require additional authentication based on the selected access policy. For instructions, see Protect the Cloud Administration Console with Additional (Step-Up) Authentication

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.

  2. Password is the default for primary authentication. If you want administrators to authenticate through a third-party identity provider instead, select Third-Party Identity Provider and perform the following steps:

    1. The Sign-In URL is the URL administrators use when they to sign-in to the Cloud Administration Console through a third-party identity provider. This field is read-only.

    2. The Assertion Consumer Service URL field displays the URL that the identity provider must use to send its SAML response to the Cloud Administration Console's service provider.

    3. In the Issuer ID field, enter a value that the identity provider inserts into SAML responses to identify itself as the Issuer.

    4. In the Issuer URL field, enter the URL to which the Cloud Administration Console's service provider sends SAML requests.

    5. In the Audience ID field, enter a value that the identity provider inserts into SAML assertions to indicate for whom the assertions are intended. The value is also used as the Issuer in SAML requests sent to the identity provider.

    6. (Optional) In the Requested Authentication Context field, your third-party IdP administrator can provide a set of rules that authentication must follow.

    7. (Optional) In the Sign-Out URL field, specify the URL to which administrators are redirected after signing out of the Cloud Administration Console. If left blank, administrators are sent to the Cloud Administration Console URL.

    8. In the Error URL field, specify the URL to which administrators are redirected when they encounter an error. If left blank, administrators are redirected to the Cloud Administration Console URL.

    9. In the SAML Response Encryption section, select SAML assertion is encrypted if you want to upload or generate a private key that the Cloud Authentication Service uses to decrypt the encrypted assertion received from the identity provider.

    10. In the SAML Response Signature section, click Choose File if you want to upload a certificate that the Cloud Authentication Service uses to validate the assertion signature provided by the identity provider.

  3. If you want administrators to provide additional authentication after primary authentication, in the Additional Authentication field, click Enable.

  4. In the Access Policy for Additional Authentication field, select a policy to enforce additional authentication requirements for the console.

Enable Certificate Enrollment for Passwordless Sign-In

The Cloud Authentication Service can simplify authentication by allowing users to sign in to their computers without a password. Users must present a registered FIDO authenticator or Microsoft Virtual Smart Card when they sign-in. MFA Agent 2.1 must be installed on users' computers and be configured to allow passwordless sign-in. For more information, see RSA MFA Agent for Microsoft Windows.

Enabling this feature allows the MFA Agent to enroll for a certificate for passwordless sign-in. The MFA Agent requests the certificate from the identity source by way of the Cloud Authentication Service and identity router.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.

  2. In the Certificate Enrollment Service for MFA Agent section, select Enabled.

  3. Click Save Settings.

Configure User Sessions

Note: User Sessions section is available only if Identity Router based portal is enabled.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.
  2. In the Session Duration (minutes) field, enter the maximum number of minutes a user can stay signed into the application portal before being prompted to sign in again. The default is 720 minutes.

    Set the session duration lower than the shortest session duration that is specified externally in an application that users can access in the application portal.

  3. In the Inactivity Timeout (minutes) field, enter the maximum number of minutes that the sign-in session can remain idle before the system ends the session. The default is 15 minutes.

    When a session timeout occurs, the browser returns to the sign-in page.

  1. In the Sign-in Timeout (seconds) field, enter the maximum wait time for system authentication after the user enters sign-in credentials before a timeout occurs. The default is five seconds.

    This setting is useful if you have many remote users signing into the same access point. For example, if user sessions are timing out while waiting for authentication, you can increase this setting.

  2. To limit the number of concurrent user sessions, select Limit Concurrent Sessions to and enter the number of sessions allowed. The number must be between 1 and 99.

    If this setting is blank, no limit is enforced.

  1. To require users to sign in again if the system detects that the IP address has changed within the same sign-in session, select Validate Session IP Address. This option can help to prevent unauthorized use of a sign-in session. If this setting is blank, a user can change IP addresses within the same session without being prompted to sign in again. This can be useful, for example, to accommodate users moving from workplace to home and changing IP addresses as a result.

Configure Password Lockout

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.
  2. Select Enable Password Lockout to lock the password authentication method in the Cloud Authentication Service after the specified number of unsuccessful attempts for a user.

    These settings affect password authentication attempts for the SAML IdP and RADIUS for the Cloud Authentication Service and the SecurID app/SecurID Authenticator app. These settings do not affect password attempts for the RSA standard or custom application portals.

    For more information on password lockout, see Password Lockout Examples.

  3. In the Failures Allowed Before Lockout field, specify the number of unsuccessful password attempts that a user is allowed before the Cloud Authentication Service locks the password method. The default is 4.

    Set this value to be at least one attempt less than the lockout value in the LDAP directory.

    The number of attempts is cumulative across SAML IdP and RADIUS for the Cloud Authentication Service and the SecurID app. For example, if this value is 4 and a user enters an incorrect password two times in a service provider, one time in a VPN client, and one time during registration with the app, then the Cloud Authentication Service locks the password method.

  4. In the Lockout Duration (minutes) field, specify the length of the lockout in minutes. The default is 30.

    Set this value to one minute more than the lockout observation window specified in the directory server.

    The lockout starts when the password authentication method is locked and expires after 30 minutes. After the specified duration, the Cloud Authentication Service starts processing password attempts from the user again.

Configure OTP Credentials

Perform these steps to configure SecurID Authenticate OTP, Emergency Access Code, SecurID hardware OTP credential, SMS OTP, and Voice OTP.

Note: Settings for SecurID hardware OTP credentials apply only to hardware authenticators that are uploaded and managed in the Cloud Authentication Service. They do not apply to OTP credentials that are assigned and managed in Authentication Manager.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.
  2. In the Failures Allowed Before Lockout field, specify the number of consecutive times users can retry each authentication method after the first unsuccessful authentication. After this many consecutive retries, the authenticator is locked. Each method is counted and locked separately. The default is 3.

    For example, if you specify 3, Authenticate OTP is locked after 4 unsuccessful attempts. The same applies to SMS OTP, Voice OTP, Emergency Access Code (for online access only), and SecurID hardware OTP credential, with each counted and locked separately.

    The following attempts count as retries:

    • Resending the SMS or Voice OTP.

    • Using an expired or invalid OTP.

    The following table shows when each OTP expires.

    Authentication Method Expires
    SMS OTP, Voice OTP Three minutes after they are sent to the user.
    Authenticate OTP Five minutes after it is generated and displayed on a user's device.
    SecurID hardware OTP Typically every 60 seconds.

    Emergency Access Code (online access only)

    After the number of days configured on the Users > Management page.

    Note: After an OTP is locked, a message informs the user that authentication was unsuccessful, but the message does not indicate the lockout status. Users cannot use the SMS, Voice, and Authenticate OTPs until you unlock them on the User Management page.

    After the online Emergency Access Code is locked, it cannot be manually unlocked or used for authentication. You must generate a new Emergency Access Code to give the user online emergency access.

  3. (Optional) Select Enable Automatic Unlock to automatically unlock the OTP method after the lockout duration has expired.
  4. If you have enabled the automatic unlock option, in the Lockout Duration field, specify the duration and select the time frame in minutes, hours, or days from the drop-down list. Each authentication method remains locked for the specified lockout duration before it is automatically unlocked. Each authentication method is locked and unlocked separately.
  5. Select Require Device PIN or Device Biometrics to view the Authenticate OTP to require users to provide additional authentication (for example, their fingerprint, Face ID, or a PIN) to view the SecurID Authenticate OTP. On iOS or Android devices, users can choose either Device Biometrics or Device PIN. On Windows devices, users must use Device PIN. The Device PIN is managed on the user's registered device and is not known to the Cloud Authentication Service.
    If you enable or disable this setting before users complete registration with the SecurID app, this setting is automatically applied when users complete registration. If you enable or disable this setting after users have completed registration, users must restart the SecurID app or wait 24 hours for this setting to take effect.
  6. If you selected Require Device PIN or Device Biometrics to view the Authenticate OTP, specify the minimum Device PIN length for Authenticate OTP.
    For users who have not yet completed registration, this minimum length is applied during registration. For users who have already complete registration, the SecurID app prompts users to change their Device PINs the next time that they try to use these PINs. The SecurID app /SecurID Authenticator app does not prompt users to change their Device PINs if their Device PINs already meet this new minimum length or if they only use biometrics to view the OTP.
  7. If your users have SecurID hardware authenticators that are managed in the Cloud Authentication Service, you need to define PIN rules. It is important to know:

    • PINs for hardware authenticators are securely stored and managed in the Cloud Authentication Service.

    • Changes to SecurID hardware authenticator PIN settings affect only users who create new PINs after you publish the changes. PINs created before publishing do not have to comply with the new settings.

    • The maximum PIN length must be compatible with the maximum number of input characters allowed by all authentication agents and clients in your deployment. For example, if an agent allows a maximum of 12 digits for the PIN + OTP and the OTP is 6 digits, then the PIN cannot exceed 6 digits.

    • Users cannot set PINs with repeated or sequential characters.

    • If your company plans to use the offline authentication capabilities provided by the Windows and macOS authentication agents, it is recommended that you require longer PINs and allow alphanumeric characters. The default settings (minimum 6 digits) are a good length for offline authentication, but longer is better.

    The following PIN settings apply to SecurID hardware authenticators:

    • Allow alphanumeric characters in hardware authenticator PINs. If unselected, PINs must contain only numeric characters. The default is numeric.

    • Minimum Hardware Authenticator PIN Length and Maximum Hardware Authenticator PIN Length. Specify 4-12 numeric characters for each setting. The defaults are 6-digit minimum and 8-digit maximum length.

Configure Device Unlock for Approve

Using Device Unlock for Approve with Android, iOS, and Windows Devices

When you require device unlock for Approve, users receive a notification on their registered devices, tap Approve in the notification, and are prompted to unlock their devices before authentication is completed. To use this setting, users must update the SecurID Authenticator app to one of the following app versions or later: Android: 1.6.0, iOS: 1.6.0, or Windows 2.0.1.

After users update the app, the first time that they try to use Approve, they must open the app, pull down to get the notification, and Approve from within the app. On all subsequent Approve requests, iOS and Android users can Approve within the push notification and then unlock their devices. Older app versions do not display a push notification and users must always open the app and pull down to respond to an Approve request.

This setting does not impact Windows users, but they must update to version 2.0.1 or later and follow the first time instructions to receive push notifications for Approve. The Windows operating system determines how users interact with push notifications.

Using Device Unlock for Approve with Apple Watch

Unlock for Approve can be used when a registered iOS device is paired with an Apple Watch. Expect the following behavior.

User Devices Locked/Unlocked Approve Notification Sent To User Action

The user's iPhone and Apple Watch are both locked.

iPhone

Unlock the phone and tap Approve.

The user's iPhone is locked and Apple Watch is unlocked.

Apple Watch

Tap Approve on the watch.

The user's iPhone and Apple Watch are both unlocked.

iPhone

Tap Approve on the phone.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.

  2. Select Require users to unlock device to Approve.

Configure Emergency Access Code for Offline Use

When you enable Emergency Access Code for use offline, users can log on to machines running the RSA MFA Agent for Microsoft Windows when they forget or misplace their registered authentication devices. To use this feature, your deployment must meet these requirements:

  • The RSA MFA Agent 2.0.1 or later for Microsoft Windows must be installed on users’ Windows machines. For instructions, see RSA MFA Agent for Microsoft Windows.

  • Emergency Access Code must be configured and published in your assurance levels and access policies.

For more information, see Supported Authentication Methods - Emergency Access Code.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.
  2. Select Enable offline Emergency Access Code if you want to allow users to use Emergency Access Code to log on to Windows machines when they forget or misplace the registered devices. The RSA MFA Agent 2.0.1 or later for Microsoft Windows must be installed on users’ Windows machines. For instructions, see RSA MFA Agent for Microsoft Windows.

    Disabling this feature has the following impact:

    • Administrators can no longer generate the 12-character alphanumeric access code for online and offline emergency access. They can generate only 8-character alphanumeric codes for online emergency access.

    • Users who were given Emergency Access Code while the offline feature was enabled can still use their access code for offline emergency access until the access code expire or until the user successfully authenticates to the Cloud Authentication Service with a different method.

  3. Specify how many days the Emergency Access Code can be used offline. The access code is created and downloaded to the user’s machine the first time the user successfully authenticates online through the MFA Agent to the Cloud Authentication Service. The access code becomes invalid after one of the following events occur:

    • The configured lifetime (1-30 days) has elapsed.

    • The user has successfully authenticated through the MFA Agent to the Cloud Authentication Service using a method other than Emergency Access Code . A new access code is downloaded to replace the old one, beginning a new lifetime cycle.

  1. Click Save Settings.
  2. (Optional) Click Publish Changes to activate the settings immediately.