SecurID Hardware Authenticators

You can assign SecurID 700 hardware authenticators to Cloud Authentication Service users and manage the OTP credentials in the Cloud Administration Console. These credentials provide two-factor authentication, where users enter a PIN (something the user knows) plus an OTP (something the user has). The OTP changes at regular intervals.

During authentication, the Cloud Authentication Service validates the OTP and PIN, similar to other cloud-based authentication methods. These credentials can be viewed and managed only from the Cloud Administration Console. You do not need to deploy an Authentication Manager server.

These credentials can be used for offline authentication if your company deploys the latest version of MFA Agent for Microsoft Windows or MFA Agent for macOS to users. For more information, see Using SecurID 700 Hardware Authenticators for Offline Authentication.

Each user can have up to five active SecurID 700 hardware OTP credentials that are managed in the Cloud Administration Console. Users can register and activate their credentials on My Page.

For instructions, see:

Deploy SecurID 700 Hardware Authenticators to Users

To deploy SID 700 hardware authenticators to your users, you can either transfer the ownership of the SID 700 hardware tokens from the Authentication Manager to the Cloud Authentication Service or obtain the record files from RSA.

Transfer SecurID 700 Hardware Authenticator Ownership to the Cloud Authentication Service

You can transfer ownership and administration of assigned and unassigned SecurID 700 hardware authenticators from RSA Authentication Manager to the Cloud Authentication Service. For information about SecurID 700 hardware authenticators that are eligible for transfer and how to transfer them to the Cloud Authentication Service, see RSA Authentication Manager 8.7 Administrator's Guide.

After the authenticators are transferred to the Cloud, the Cloud Authentication Service manages and owns the authenticators, and Authentication Manager consequently forwards the authentication events to the Cloud Authentication Service. These events can be monitored from the User Event Monitor for the Cloud Authentication Service. For instructions, see Monitor User Events in the Cloud Administration Console.

When SecurID 700 authenticators are transferred to the Cloud, all authentication agents, including RADIUS, will continue to authenticate applications protected by Authentication Manager. However, the cross-trust authentications for authenticators can fail in Authentication Manager. RSA Authentication Manager provides high availability by allowing Authenticate Tokencode, Cloud-owned SecurID 700, and DS100 OTP authentication to continue when the connection between Authentication Manager and the Cloud Authentication Service is not available.

SecurID 700 records that are uploaded directly to the Cloud and assigned to users are synchronized to Authentication Manager using the synchronization job for the Cloud Authentication Service. This batch job runs after Authentication Manager is connected to the Cloud Authentication Service. After authenticators are synced, Cloud-owned authenticators are available for authentication with applications that are protected by Authentication Manager.

After you transfer the ownership of SecurID 700 hardware authenticators from the Authentication Manager to the Cloud Authentication Service, you can perform these steps:

Obtain SecurID 700 Hardware Authenticator from RSA

To obtain SID 700 hardware authenticators from RSA, perform these steps:

  1. Request SecurID 700 hardware authenticators from RSA Sales or your partner. You will receive a packet containing the authenticators and encrypted authenticator record files.

    If you plan to use SecurID 700 hardware authenticators that were previously ordered and shipped, make sure you have the decrypted authenticator record files.

  2. Follow the instructions in the packet to decrypt the authenticator record files.

    During decryption, an import password is generated for each file. Make sure you have these passwords when you upload the authenticator record files to the Cloud Authentication Service.

    Note: Trial authenticators may not require a password.

  1. Upload Decrypted Authenticator Record Files to the Cloud Authentication Service

  2. Configure Authentication Settings for Your Deployment

  3. Configure Email Notifications for Your Deployment

  4. Distribute Authenticators to Users

Upload Decrypted Authenticator Record Files to the Cloud Authentication Service

  1. In the Cloud Administration Console, click Users > Hardware Authenticators.

  2. Click Upload SID700 OTP Seeds.

  3. Click Choose File and browse to the file you want to upload.

  4. If required, enter the import password that was created for the file during the decryption process.

  5. Click Upload.

You can view the total number of the uploaded hardware authenticators and the total number of unassigned hardware authenticators in the Hardware Authenticators page.

Configure Authentication Settings for Your Deployment

Configure settings that affect how hardware authenticators are used in your deployment, including PIN requirements. See Configure OTP Credentials for instructions.

Configure Email Notifications for Your Deployment

To help increase security, you can configure the Cloud Authentication Service to automatically send a confirmation email to users after they register their SecurID 700 hardware authenticators. For instructions, see Configure Email Notifications

Distribute Authenticators to Users

To distribute SecurID 700 authenticator to users:

  1. Send unassigned authenticators to users.

  2. Instruct users to go to My Page to register their authenticator and test authentication.

If preferred, you can assign authenticators to each user before distribution. Upon receiving their authenticators, users must go to My Page to activate the preregistered authenticators and test authentication.

Delete Expired Hardware Authenticators

This task deletes all expired hardware authenticators from the Cloud Authentication Service. These authenticators cannot be used for authentication.

  1. In the Cloud Administration Console, click Users > Hardware Authenticators.

  2. From the Hardware Authenticator Actions drop down menu, click Delete SID700s.

  3. Under Delete All Expired Hardware Authenticators, click Delete.

    This operation may take several minutes to complete, depending on how many expired authenticators are being deleted.

Manage Users' Hardware Authenticators

See Description

Clear a Hardware Authenticator PIN for a User

You can clear the PIN if the user has forgotten the PIN or the PIN is compromised. Before using the hardware authenticator, the user must go to My Page and set a new PIN.
Enable or Disable a Hardware Authenticator Registered authenticators are automatically enabled. You can unassign a disabled authenticator.
Unassign a Hardware Authenticator from a User Unassigning the hardware authenticator prevents the user from using it to authenticate.
Delete a User's Hardware Authenticator Delete a hardware authenticator file from the Cloud Authentication Service.

Unlock All OTP Credentials for a User

Unlock a user's SMS, Voice, Authenticate, and hardware OTPs.
Rename a Hardware OTP Credential Instruct users to go to My Page and click the old name. Enter the new name, then click the check box to confirm. Make sure the name is not blank, does not include the < > " / ; ` % characters, and does not exceed 50 characters.

View Hardware Authenticator Information

See Description
Usage Information

View hardware authenticator usage statistics for your deployment on the Cloud Administration Console dashboard.
Run Reports Use the Hardware OTP Credential Information report to see information for each hardware authenticator that is uploaded to the Cloud Authentication Service.

To access Help for end users, see SecurID Hardware Authenticator.