This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
msg9
Occasional Contributor
Occasional Contributor
‎2023-05-18 01:47 PM

Multiple Device Logins/Sessions Using Same Passcode/Tokencode?

Hello all,
I had a power user ask an interesting question today.  When some of our supported Systems and Network Engineers need fast access to multiple devices at the same time, as I understand, they have to wait for the Tokencode to roll over between multiple device logins.

In other words, they cannot use the same passcode for multiple sessions; it must be PIN+UniqueTokencode?

I can obviously see how this would be a security feature to limit access in event of compromise, but curious, is this configurable for the RSA SecurID service provider?  This is something we would put forth to our change management for a policy decision.

A couple of uses case examples:

  1. For the organizations we support, emergency support for their customers can require Network Engineers to log into multiple network devices quickly.  Having to wait for the Tokencode to rollover, at 60 seconds, this slows them by up to 7 to 10 minutes to actionable access state in a provided example.
  2. Another example is for Environment Compliance Check activity.  Logging into a group of network devices becomes tedious for power users attempting to login to, say, 5 to 10 devices at one time in order to review configurations.

I've had a look through the AM console and I'm not seeing any options to control this in policy, and have searched the site and community, but not seeing any notes or discussion on this topic.   Seems like something others would have run into as well?

Thanks

Labels (2)
0 Likes
Reply
2 Replies
GabrielPython1
Occasional Contributor
Occasional Contributor
‎2023-05-19 03:53 AM

Hi,

have e look on this Emergency Access for Authentication Manager Users - RSA Community - 629641

Kind regards

Reply
msg9
Occasional Contributor
Occasional Contributor
‎2023-05-24 02:28 PM

Interesting idea, thanks @GabrielPython1 

This would work for those periodic compliance situations, though I don't think we could get approval from our cyber leads, since fixed passcodes effectively disables MFA and creates a gap.

Mentioned it to the NET ENG and he said they'd ideally need something more permanent and readily available.  On our end, we'd need something without the requirement for close RSA administrative involvement.

I think ideally, we would be looking for something that would not require that much administrative involvement, or at the least, maybe a secondary authentication policy we could enact?

I didn't see anything in the policies that would let us configure multiple authentications under a single passcode session.  Ultimately, this is the functionality we'd be looking to accomplish, even if it were a separate user account and token for specific use.  Or perhaps a special group we would create for advanced access privs.

Seems like it would all hinge on being able to control the number of authentications allowed on a passcode?

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.