Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
FalcoDussault
Beginner
Beginner

AD Password in MFA SecurID Agent

Jump to solution

Hello,

in the past we used the standard windows agent with Authentication Manager in order to protect rdp access.

The use-case we had is that ONLY the first time a user enters his credentials and then the hardware or software tokencode. The next login user inserted ONLY the tokencode, without inserting again the AD domain password.

 

Now, we are moving to the RSA MFA agent in order to add push notification/approve functionality in the same use-case where users login in rdp to a windows machine.

 

My questions are:

1. We need every time to insert the domain password of the user before receive the push notification in the app? Or the MFA agent is able (like the standard agent) to cache the password of the user, so that the user has ONLY to insert the tokencode OR accept the approve notification (depends by the policy) in the app?

 

2. During the access, is it possible for the user to select the best solution for him to use, like selecting token or push or call?

 

Thanks

Labels (1)
1 Solution

Accepted Solutions
TedBarbour
Employee
Employee

Hi Falco - please see my answers below:

 

1. We need every time to insert the domain password of the user before receive the push notification in the app? Or the MFA agent is able (like the standard agent) to cache the password of the user, so that the user has ONLY to insert the tokencode OR accept the approve notification (depends by the policy) in the app?

Yes, the current MFA Agent version 1.2 requires entering the Windows password to unlock before (optionally) requiring additional authentication.

 

2. During the access, is it possible for the user to select the best solution for him to use, like selecting token or push or call?

Yes, the user can select the desired additional authentication method from the available methods the administrator has configured in the Cloud Administration Console's access policy.

Hope that helps,

Ted

View solution in original post

4 Replies
TedBarbour
Employee
Employee

Hi Falco - please see my answers below:

 

1. We need every time to insert the domain password of the user before receive the push notification in the app? Or the MFA agent is able (like the standard agent) to cache the password of the user, so that the user has ONLY to insert the tokencode OR accept the approve notification (depends by the policy) in the app?

Yes, the current MFA Agent version 1.2 requires entering the Windows password to unlock before (optionally) requiring additional authentication.

 

2. During the access, is it possible for the user to select the best solution for him to use, like selecting token or push or call?

Yes, the user can select the desired additional authentication method from the available methods the administrator has configured in the Cloud Administration Console's access policy.

Hope that helps,

Ted

ShashankRajvans
Employee
Employee

Hi Falco,

 

I am part of product management driving next feature sets for MFA Agent and will be interested to understand your use cases and experience using MFA Agent for Windows. Please email me if you will be available for a quick call. 

 

regards,

Shashank

Shashank.rajvanshi@rsa.com

YannDuplaix
Occasional Contributor Occasional Contributor
Occasional Contributor

Hi Falco,

 

There is a also another way to get push/approve (with PIN), and even biometrics (with PIN): you can leverage new capabilities of Authentication Manager 8.4 (starting with P4).

You will have nothing to change from a windows authentication agent perspective, it will just work as-is.

I would suggest you to have a look to this. That could be a good way to get what you need, before transitioning to MFA agent when it will have the caching AD password feature.

 

Some details there: RSA® SecurID Access Release Notes for RSA Authentication Manager 8.4 

We introduced this capability (approve) with AM 8.4 P4 and enhanced it (biometrics) with AM 8.4 P9

 

Regards.

 

Yann

AKarimian
New Contributor
New Contributor

We have this same issue with our migration to the MFA Agent. Is there an upcoming release for the MFA agent that is going to bring this feature?

Seeing that the EOPS Date for the auth agent is Sept 2022 this is needed asap (Product Version Life Cycle for RSA SecurID Access - SecurID Community - 572909 [community.securid.com]

0 Likes