An authentication method is a credential that you provide or an action that you perform to prove your identity. RSA Via Access supports the following authentication methods: Active Directory password, RSA Via Tokencode, RSA SecurID, Approve, Device, Fingerprint Verification, and Administrator Password.
An authentication method is a credential that you provide or an action that you perform to prove your identity. RSA Via Access supports the following authentication methods: LDAP directory password, RSA Via Tokencode, RSA SecurID, Approve, and Fingerprint Verification.
LDAP Directory Password
The LDAP directory password is used to access the RSA Via Access Application Portal and to register mobile devices. LDAP directory passwords are managed within the LDAP directory server. User records are synchronized from the LDAP directory server to identity sources in RSA Via Access. The RSA Via Access hosted service must be able to reach your on-premise identity source for authentication to succeed.
The RSA SecurID method employs a one-time, randomly generated number called a tokencode. The tokencode is generated on a hardware or software token and is verified by your on-premise RSA Authentication Manager server. The user enters the tokencode into the application portal. A Personal Identification Number (PIN) is often required. The tokencode is time-based and must be used before it expires. RSA SecurID tokens are issued and revoked only through Authentication Manager.
RSA Via Tokencode
Similar to RSA SecurID, RSA Via Tokencode employs a one-time, randomly generated number called a tokencode. This tokencode is generated on a mobile device where the RSA Via Access mobile app is installed. The tokencode, which is verified by the RSA Via Access hosted service, is time-based and must be used before it expires. The user is enrolled for this method automatically after device registration.
If your company has deployed both RSA Via Access and RSA Authentication Manager 8.2 or later, you can integrate the two products so that users can authenticate with RSA SecurID tokens and RSA Via Tokencodes on the same RSA Authentication Agent.
You can require users to provide a fingerprint or PIN to view the RSA Via Tokencode on the mobile app. This setting takes effect after 24 hours or after the user restarts the mobile app. The user must tap View Tokencode on the RSA Via Tokencode screen and authenticate before viewing the tokencode. The first time that the user taps View Tokencode, the app prompts the user to create a PIN that is only used for viewing the RSA Via Tokencode. The PIN must be numeric and contain 4-255 digits. The PIN applies to the RSA Via Tokencodes for all companies in the mobile app.
If the user has set up or registered fingerprints, the mobile app prompts the user to authenticate with fingerprint. The user can also choose to skip Fingerprint Verification and enter the PIN. If the user fails Fingerprint Verification three times or the user has not set up or registered fingerprints, then the app prompts the user to enter the PIN. If the user enters an incorrect PIN five times, the PIN is locked and the user must reset the PIN. To reset the PIN, the app prompts the user for Fingerprint Verification or the password for the company requesting the tokencode.
The user can authenticate to view the tokencode with an online or offline device. However, if the app prompts the user to enter the password to reset the PIN, the user must be online.
The FIDO Token is a hardware authenticator that the user inserts into a USB port. Registration happens the first time a user clicks an icon for a protected application and follows the prompts in the browser. During registration, the user enters an identity source password, inserts the FIDO Token, and, if required, taps the token. Subsequent authentications do not require a password. The FIDO Token requires the Chrome browser version 40 or later.
RSA Via Access supports the FIDO (Fast IDentity Online) Alliance standards for Universal 2nd Factor (U2F). The U2F protocol strengthens password authentication by adding a physical token.
Note: The FIDO Token might not work on browsers that run on a virtual machine.
To use the Approve method, the user attempts to access the application and then is prompted to tap a button or shake the device. On iOS, the user can also tap an interactive notification on the mobile device or Apple Watch paired to the device. The user must respond within one minute, otherwise the method times out and is considered a failed authentication. This method requires a mobile device where the RSA Via mobile app is installed. The user is enrolled for this method automatically after device registration.
The Fingerprint Verification method allows users to authenticate to applications using Apple Touch ID, Samsung Fingerprint, or Android version 6.0 fingerprint support. This method is only available on an iOS 8.0 or later device that supports Touch ID or a Samsung or Android version 6.0 or later device with a fingerprint sensor.
To use Fingerprint Verification, users must first set up Touch ID or register their fingerprints on their mobile devices. RSA Via Access does not force users to set up Touch ID or register their fingerprints on their mobile devices.
The Eyeprint Verification method allows users to authenticate to applications using EyeVerify's Eyeprint ID. This method is only available on devices supported by EyeVerify. For the list of supported devices, see http://www.eyeverify.com/supported-devices.
To use Eyeprint Verification, users must enroll in Eyeprint ID through the RSA Via Settings (iOS) or Eyeprint ID (Android) menus. Users only see these menus if they have a supported device. Enrollment requires two to five Eyeprint Captures. If users do not complete enrollment after the fifth Eyeprint Capture, users are prompted to start the enrollment process again. Eyeprint data is stored locally on the device.
RSA Via Access does not force users to enroll in Eyeprint ID on their mobile devices. If the user is not enrolled in Eyeprint ID, RSA Via Access does not present Eyeprint ID as an authentication option to the user.
In the Settings (iOS) or Eyeprint ID (Android) menus, users can recreate the Eyeprint to improve its quality if the users experience repeated authentication errors and unenroll Eyeprint ID if they no longer need this authentication method. Unenrollment deletes the Eyeprint data on the device. If users recreate the Eyeprint or unenroll Eyeprint ID, they must provide the password entered during device registration. For users who use the RSA Via mobile app with multiple companies, they must provide the password of the first company in the mobile app Companies list.