Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
MatthewMaichuk
Beginner
Beginner

Is there an upper limit to users with offline accessibility

I'm having some trouble tracking down information on how users are maintained for offline access (should a server drop from the network).

 

Primarily the concern is that if a user is inactive for too long or if there are too many subsequent logins will their login be aged out and, in time of an emergency, they would not be able to connect during the window for offline access.

 

If there is a document for this that would be great.

0 Likes
2 Replies
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)

Matthew Maichuk‌,

 

I've moved your question to the RSA SecurID Access" data-type="space space where it will be seen by the product's support engineers, other customers and partners.  Please bookmark this page and use it when you have product-specific questions.

 

Alternatively, from the RSA Customer Support" data-type="space page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question.  From there, scroll to RSA SecurID Access" data-type="space and click Ask A Question.  That way your question will appear in the correct space.

Here is some  reading material to start you off:

Offline Authentication 

Offline Authentication Policy 

https://community.rsa.com/docs/DOC-77015 

 

Regards,

Erica

0 Likes
PiersB
Trusted Contributor Trusted Contributor
Trusted Contributor

Hi Matthew,

Users can be configured (via policy) for some number of days of offline data. These days are refreshed each time the user authenticates (to make sure the user had the number of offline days as stipulated in the policy). In addition, the administrator can also have an offline "Emergency Access" (EA) tokencode pre-loaded onto clients. These can be provided by an administrator should a user be offline for an extended period of time. These are loaded onto the client when it is connected, but don't age and expire like offline data. The end user uses their PIN along with this code to authenticate until they can establish a connection to the corporate network.

 

You don't mention how many offline "days" you were planning on allowing, but many customers use something like 14 days. This is based purely on anticipated use-cases. (i.e. "We expect employees will connect to the corporate network at least once every 2 weeks."). 

 

Note that the offline agent will recharge the offline data when either of the following event occur:

  1. The user either authenticates on-line.
  2. The user authenticates offline and subsequently establishes a connection to the corporate network (by connecting to a VPN). 

In case #2, the offline service detects when a network connection is available and attempts to contact the authentication server. It uses the prior offline authentication to authorize downloading more offline data. The EA codes can also be provided if there are too many login failures offline. The offline login failure limit is also configured by the offline policy.