Password-Only Authentication

RSA recommends that you install a replica instance to provide secure, two-factor authentication in case the primary instance goes out of service. If your deployment has no replica instance and the primary instance goes offline, consider reverting to password authentication until your primary instance is restored.

When you revert to password authentication, your resources are protected by passwords only:

Know the following about reverting to password-only authentication.

  • Users no longer need to use on-demand tokencodes to authenticate.

  • You must remove your risk-based authentication (RBA) configuration.

  • You must refer to the instructions for the agent that you want to configure for password-only authentication. For a complete list of supported agents and instructions, go to

  • You can revert to password-only authentication using the agent that you used before you configured RBA. If users’ passwords were stored on this agent, the users must know the passwords that they used for this agent before you configured RBA.

  • Determine which sensitive resources to make accessible by password-only, until two-factor authentication is restored.

  • Determine which sensitive resources to make inaccessible until two-factor authentication is restored.

  • Save users’ passwords for servers that you might use for password-only authentication while the primary instance is unavailable, including sources such as Active Directory and Oracle Directory Server.

  • Inform users of the change to password-only authentication.