Customer has RSA Authentication Manager 8.X in PROD and there are target apps integrated with it for 2FA.
Currently PIN is in RSA Internal DB. We want to remove that and in its place want users to use their AD Password and then token code only.
We are looking for a best feasible solution to fulfill the customer requirement. Please advice
Hello Usman
If I am not wrong AD password cannot be used as first factor.
you have asked same Question earlier on September 2016.
you can skip PIN by using PIN not required, after PIN skipped user can login by using Token Code + AD Password.
Thanks
Rajesh
Thanks Rajesh.
I might have asked the same in past. Will you please give some direction where this configurations to be done so that RSA will accept the users RSA tokencode and AD PWD ?
Sent from my iPhone
Usman,
Another option is to ask your RSA Account team about some of the new authentication options with RSA SecurID Access Enterprise or Premium editions. With the cloud service AD password can be the first factor followed by your RSA SecurID Tokens or push notification, SMS or one-time passcode for the second factor.
Test drive the new authentication factors - Two Ways to Try RSA SecurID Access for Free
Also check out the product edition feature matrix - RSA SecurID Access Editions | RSA
Nathan
Hi Usman,
As Nathan Furze suggested you can check with you RSA account team about RSA securID access.
that will fulfill your users requirement.
Other hand in Authentication Manager you can skip PIN if you are using Software token, Before assigning tokens to user you need to edit Software Token profile as shown below, then distribute the token.
Hope this helps.
Thanks
Rajesh
Thanks to all.
With respect to Our New Solution RSA SecurID Access. We have done the POC for Client and the P.O. was initiated and moving slowly due to some internal Stuff. We will get the Order Soon
By that time and client is challenging RSA Authentication Manager: Like is it capable or configurable to talk to AD and submit the user's AD Creds to get that validated , Take the response from AD and then challenge the User for Tokencode only ?
My point of discussio: Is RSA configurable to talk to AD for Creds validation --> take its response --> then Challenge Tokencode ?
In my Study I did not find this feasibility. But, Client director was told by RSA employee in one of the recent Summit that its doable.
I would be happy to talk with you in your available time. Please share the contact number on u.shaik.rsa@mobily.com.sa
or here
It is a bad idea to skip the pin. Someone could pick up your device running the RSA software token and simply use the code. Skipping the pin eliminates 2-factor, and turns it to one factor... Something you have. Never recommended.
Agree we already highlighted the same to Customer. But the Customer justification and requirement is to have the AD Creds used first ( It would be as PIN) then Token code.Therefore customer still has the 2FA in place.
Customer giving references of their previous employers with Gemalto Safenet in place as 2FA solution and they can do this. i.e. AD Creds first then Token code only
Only thing is PIN will not be in RSA DB , stead it would be AD PWD. And they believe their AD is secure.
Is it doable in RSA ? I have not found something yet to fulfill this. Appreciate your inputs.
Usman,
In Authentication Manager Support we call what you want to do, Windows Password with TokenCode, two One-factor authentications, which is not 2-Factor authentication, 2FA. That is because as Ed alluded to, we think in terms of the 2 factors being integrated, part of the same SecurID deployment. So from our point of view, two one-factor authentication do not equal two-factor authentication. I am biased, but 2FA is a very strong authentication, and I believe the evidence supports this claim.
However, with the term multi-factor Authentication, MFA, the concept of mixing more than one authentication method is considered a way to kind of adding the strengths of each individual authentication. I would only say this is debatable, or in consultant speak, 'It depends', as you may also be adding the weaknesses of each authentication method. Conceptually I would say that two 4 foot fences 10 feet apart are not the equal of a single 8 foot fence when trying to prevent physical access. What you need to consider is the relative height of your authentication fences.
Having said all this, and I restate, I do not consider two one factor authentications the equivalent of 2FA, many times a business simply has to consider risk and consider if your plan is good enough security, then I can say that many customers do what you want to do, they deploy Tokens without requiring PINs - Globally under Security Console - Setup for Tokens.
Your next problem is figuring out how to prompt for Windows Password, which is not an Authentication Manager job, though our Windows agent can be left in the default configuration to automatically prompt for a Windows Password instead of logging into Windows after learning a user's password with the Windows Password integration option.
On a VPN you would have to configure two authentications, first to LDAP or Windows, 2nd to AM.
Now that we have made you either enlightened or dangerous with knowledge, you should treat every lost token with the utmost priority, as a bad guy with your user's token only needs to hack the Windows password. If you have software tokens, you will need a way to ensure that a software token has not been copied, which means .sdtid files as a delivery method are now riskier.
You see, when you do not use PINs, you will likely be unaware that a token has been stolen or copied, because ALL stolen token authentications WILL be Successful in AM logs, and none of the attempts to hack the Windows Password will ever show in Authentication Manager logs. Good luck with that. This is the crux of what we 2FA types mean when we say 2FA is integrated, and two one-factor authentications are not.
Hi Usman,
Hopefully this will clear things up.
1. Authentication Manager was designed to be used in a PIN+Tokencode manner to achieve 2FA. Within Authentication Manager you do NOT have the ability to use the Windows Password + Tokencode for authentication. Authentication Manager does have the ability to use a token without a PIN in tokencode only mode. - This is not 2FA, it is single factor authentication.
2. Some agents (for example Cisco AnyConnect, Citrix Netscaler, and the RSA Windows agent) can be configured to prompt the user for their Windows password in addition to their RSA passcode. With these agents configured in this manner, you could achieve two step authentication using the windows password + an RSA token in tokencode only mode. As Jay mentioned above, this is not, strictly speaking, two factor authentication it is technically considered two-step authentication.
3. The new SecurID Access solution does prompt the user for their AD (Windows) password followed by the appropriate level of step up authentication in accordance with the configured policy. This is likely what the RSA employee at the Summit was referring to.
In summary, Authentication Manager cannot be configured to validate AD credentials as the first factor of authentication however the cloud authentication service can.
Usman,
Another option is to ask your RSA Account team about some of the new authentication options with RSA SecurID Access Enterprise or Premium editions. With the cloud service AD password can be the first factor followed by your RSA SecurID Tokens or push notification, SMS or one-time passcode for the second factor.
Test drive the new authentication factors - Two Ways to Try RSA SecurID Access for Free
Also check out the product edition feature matrix - RSA SecurID Access Editions | RSA
Nathan