AnsweredAssumed Answered

2FA/MFA for password reset workflow in RSA IGL

Question asked by Volodymyr Melnyk on Apr 20, 2020
Latest reply on Apr 21, 2020 by Craig Ramsay

Business stakeholders don't like the out of the box challenge questions for password reset. The idea is to mitigate a risk of password change for admin accounts when user leaves PC screen unlocked (we use passwordless SSO for login to RSA IGL)


As far as I could understand it is not possible to link a custom work-flow for password reset submitting. For us it is not a problem as we keep accounts in source type "Directory" and groups in each Application, so we can modify work-flow which is linked to the Directory.


The intention is to add API node to AFX work-flow (or it can be approval WF doesn't matter) with connection to RSA Authentication Manager to validate RSA Sure ID token.


There is also idea to use MFA for some requests later.


Does anyone have something similar? REST node setup for token validation to RSA Authentication Manager or any other token validation.


Is there a better way to mitigate the same risk? Additional identity attributes and security questions are not an option.


Thanks & BR,