Getting Started with FIDO-Certified Security Keys with SecurIDGetting Started with FIDO-Certified Security Keys with SecurID

SecurID supports using FIDO2-Certified and U2F-compliant security keys as an authentication option. Additionally, SecurID has partnered with Yubico to create the Yubikey for SecurID. See SecurID and Yubico.

SecurID supports FIDO2 security keys for both primary (the passwordless user experience) and additional (or step-up) authentication and U2F keys only for additional authentication. FIDO primary authentication is only supported for service providers (SAML applications). See FIDO.

This document guides you through setting up and using security keys with SecurID:

• If you are a user authenticating to a protected application with a security key, see Using a Security Key to Authenticate to a Protected Application.

• If you are an administrator setting up the Cloud Authentication Service for FIDO authentication, see Setting Up Cloud Authentication Service for Security Keys.

Using a Security Key to Authenticate to a Protected ApplicationUsing a Security Key to Authenticate to a Protected Application

Procedure

1. Set up your PIN or biometric for the security key, if supported by your security key.

   Your administrator might instruct you to use the RSA Security Key Utility to create and manage the PIN for your security key:

   1. Click Start > RSA > RSA Security Key Utility.

      Depending on your configuration, Windows might present User Account Control (UAC) screens to request administrative credentials.

   2. Insert the security key.

      

   3. Click Create PIN.

      

   4. Enter your PIN in both fields, and click Submit.

      

2. Register your security key in SecurID My Page:

   1. Sign into My Page. Your IT administrator sends the My Page URL to you.

   2. Select Security key from the drop-down list, and click Get Started.

      

   3. Connect the security key and follow the instructions. For example, insert the security key into the USB port and tap the security key.

      

   4. Change the name of the key if you like.

      

3. Authenticate to a protected application using your security key:

   1. Open the protected application.

   2. Connect the security key and follow the instructions. For example, insert the security key into the USB port and tap the security key.

      

Setting Up Cloud Authentication Service for Security KeysSetting Up Cloud Authentication Service for Security Keys

If you are an administrator, perform these steps to start using security keys with Cloud Authentication Service. These steps assume that you have an existing Cloud Authentication Service deployment.

• Set Up FIDO in Cloud Administration Console
• Do a Test Authentication

Set Up FIDO in Cloud Administration ConsoleSet Up FIDO in Cloud Administration Console

Before you begin

• Review the system requirements for FIDO. See FIDO Authenticator Requirements.

• If you are using the RSA Security Key Utility to manage the security key PINs, deploy it to your users' computers. See Using RSA Security Key Utility.

Procedure

1. Confirm that FIDO is in the desired assurance level:

   1. In the Cloud Administration Console, click Access > Assurance Levels.

   2. Add or move FIDO to the desired assurance level.

      

2. Confirm that you have an access policy that uses that assurance level:

   1. Click Access > Policies.

   2. Click Edit for the policy.

   3. In the Rules Sets tab, confirm that FIDO is listed in Authentication Options.

      

3. Add a service provider:

   1. Click Authentication Clients > Relying Parties > Add a Relying Party > Add next to Service Provider.

   2. Determine if you want to use FIDO for primary authentication or additional authentication, or both.

      If you want to use FIDO for primary authentication, add a service provider and specify FIDO as the primary authentication method. In the Authentication tab, select SecurID manages all authentication. In the Primary Authentication Method drop-down list, select FIDO.

      

   3. If you want to allow Emergency Tokencode as a replacement for FIDO (for example, if a user lost the FIDO authenticator), select Allow Emergency Tokencode to replace FIDO. Emergency Tokencode does not need to be in an assurance level to use it for primary authentication.

      If you select the Emergency Tokencode option, consider the following additional authentication implications:

      • If Emergency Tokencode is an authentication option based on the selected access policy, the user is granted access to the protected resource after entering the Emergency Tokencode one time and is not prompted for the Emergency Tokencode twice.

      • If Emergency Tokencode is not an authentication option in the selected access policy, the user is prompted for additional authentication based on the policy.

   4. If you are using FIDO for additional authentication, in the Access Policy for Additional Authentication, select the policy that contains FIDO.

      

4. Enable FIDO authenticator registration in My Page:

   1. Click Platform > My Page.

   2. Under Configuration, select Users can register FIDO authenticators in My Page and select Security key.

      

Do a Test AuthenticationDo a Test Authentication

Procedure

1. Register your security key in My Page. See Using a Security Key to Authenticate to a Protected Application.

2. Authenticate to your service provider to see it work. See the demo videos in Building on Passwordless Experience, extending FIDO2 support as Primary Authentication.

3. Confirm your test authentication in the User Event Monitor:

   1. Click Users > User Event Monitor.

   2. Look for the success entry: