Authenticator Registration

a month ago

Users complete authenticator registration so that they can use the registered authenticator to sign in to protected applications.

Registration binds the authenticator to the user. After registration, when the user needs to authenticate to an application, RSA prompts the user for methods that the user can complete.

For more information on these authentication methods, refer to Authentication Methods for Cloud Access Service Users.

A user can register the following authenticators:

One RSA Authenticator App (available on iOS, Android, Windows, or macOS), or one custom authenticator app built with RSA SDK.
Up to five FIDO authenticators.
Up to five hardware authenticators, such as SecurID 700, RSA DS100, or third-party OATH HOTP authenticators.

For more information, see:

Registration of RSA Authenticator App
Registration of Custom App
Registration and User or Authenticator Changes
Registration with Multiple Accounts
Registration of FIDO Authenticators
Registration of SID 700 Hardware Authenticators
Registration of RSA DS100 FIDO and OTP Authenticators
Registration of OATH HOTP Hardware Authenticators

Registration of RSA Authenticator App

Users can register the RSA Authenticator App using one of the following methods described in the table.

Registration Method	Description
RSA My Page	My Page is a web portal that helps provide a secure way for users to register a software Authenticator app using QR or numeric registration codes. Users sign in to My Page on one device (for example, a computer), download the RSA Authenticator App on another device (iOS or Android), scan a QR code, and complete an optional test authentication. Users can also manually enter a numeric Registration Code if they are unable to scan a QR code. By default, My Page is disabled. When you enable it, you can also select an access policy that determines which users are allowed to use My Page and which authentication requirements they must satisfy to access the page. For more information, see Manage My Page.
User enters an LDAP password as the Registration Code into the RSA Authenticator app.	The user downloads the RSA Authenticator App on a device and enters the identity source email address, your Organization ID, and the identity source password (as the Registration Code) in the app. You can use the Device Registration Using Password policy to restrict which users are allowed to complete device registration using this method. For more information, see Device Registration Using Password Policy.
User enters a Registration Code generated by the administrator.	You use the Cloud Administration Console to generate a numeric Registration Code and then securely provide it to the user. The user downloads the RSA Authenticator App on a device and enters the user identity source email address, your Organization ID, and the Registration Code in the app. For more information, see the "Generate a Registration Code" section in Manage Users for Cloud Access Service .

Registration Method

Description

RSA My Page

My Page is a web portal that helps provide a secure way for users to register a software Authenticator app using QR or numeric registration codes. Users sign in to My Page on one device (for example, a computer), download the RSA Authenticator App on another device (iOS or Android), scan a QR code, and complete an optional test authentication. Users can also manually enter a numeric Registration Code if they are unable to scan a QR code.

By default, My Page is disabled. When you enable it, you can also select an access policy that determines which users are allowed to use My Page and which authentication requirements they must satisfy to access the page. For more information, see Manage My Page.

User enters an LDAP password as the Registration Code into the RSA Authenticator app.

The user downloads the RSA Authenticator App on a device and enters the identity source email address, your Organization ID, and the identity source password (as the Registration Code) in the app.

You can use the Device Registration Using Password policy to restrict which users are allowed to complete device registration using this method. For more information, see Device Registration Using Password Policy.

User enters a Registration Code generated by the administrator.

You use the Cloud Administration Console to generate a numeric Registration Code and then securely provide it to the user. The user downloads the RSA Authenticator App on a device and enters the user identity source email address, your Organization ID, and the Registration Code in the app. For more information, see the "Generate a Registration Code" section in Manage Users for Cloud Access Service .

For rollout information, see Cloud Access Service Rollout to Users.

Registration of Custom App

Your company can develop a custom authentication app for iOS or Android mobile devices based on the RSA Mobile SDK.

Use this procedure to add the custom app to CAS and generate an Application ID. Send the Application ID to your custom app development team.

Important: Custom authentication app is not a feature enabled by default. To be able to use this feature, you need first to contact the RSA Help Desk to get this feature enabled within your environment.

Procedure

In the Cloud Administration Console, click Access > Mobile Authentication.
In the Name field, specify a friendly name to identify this app.
In the Application ID field, enter a unique identifier.
Click Save.
(Optional) Click Publish Changes to activate the configuration immediately.

After you finish

Copy the Application ID and send it to the development team building your custom app.

Device Registration with a Custom App

You can configure My Page for users to register their devices with the custom app, or you can use your own custom self-service portal for registration. For instructions, see Manage My Page.

Each user may use one User ID to register a device with only one app per company account. If the user wants to use a second app, the user must register the device using a different User ID, delete the first app from the device before registering with the second app, or perform the second registration with a different company account.

For example, suppose user jsmith@abc.com in Company ABC downloads the custom app and registers a device. Later, this user wants to use the RSA Authenticator App. This user can do one of the following:

Download the RSA Authenticator App and re-register the same device using a different User ID with Company ABC.
Delete the custom app from his device, then download the RSA Authenticator App and re-register the device with Company ABC.
Download the RSA Authenticator App and re-register the same device using the same User ID but with a different Company account.

Registration and User or Authenticator Changes

The following table summarizes how RSA handles registration with user or changes.

Situation	How RSA Handles It
A user completes registration, deletes or uninstalls the RSA Authenticator App, and then later needs to complete registration again on the same device.	The user installs the RSA Authenticator App again and re-registers the device without administrative action.
A user completes registration on one device and then gets a new device. The user needs to complete registration on the new device. A user performs a factory reset on a registered device and wants to reinstall the app on the same device.	The user can delete the current device in My Page, and then complete registration. Or the administrator must delete the user's current device before the user can complete device registration again.
An existing user who has completed device registration on the device no longer needs the device and gives the device to a new user. An existing user who has completed device registration on the device no longer needs the device, performs a factory reset, and gives the device to a new user.	If necessary, the existing user deletes the device in My Page or deletes the company in the app. The new user installs the app and completes device registration without administrative action.

Registration with Multiple Accounts

An individual user can use the RSA Authenticator App on a single registered device to authenticate to protected resources with multiple accounts.

For example, a user who is a contractor for both Organization A and Organization B can use a single device to perform authentication to access both organizations. The user registers the device for one organization and uses the My Credential screen to add additional credentials as needed.

An administrator might use a single device for testing the behavior of the RSA Authenticator App for an organization's testing environment and production environment. If each environment has a unique Organization ID, the administrator adds a credential for each organization. Or if each environment uses the same Organization ID but has a unique user ID, the administrator adds an account for each user ID.

If an administrator for one credential uses the Cloud Administration Console to delete a user's registered device, the RSA Authenticator App on the user's device continues to work normally for any other credential. The activity from one credential does not affect the app behavior for other credentials.

Registration of FIDO Authenticators

Users can register up to five FIDO Authenticators. For more information, see Getting Started with FIDO.

Registration of SID 700 Hardware Authenticators

Users can register their SID 700 hardware OTP authenticators using My Page. For more information on deploying these authenticators, see RSA Hardware Authenticators .

Registration of RSA DS100 FIDO and OTP Authenticators

Users can register their RSA DS100 FIDO and OTP authenticators using My Page. For more information, see RSA DS100 Hardware Authenticator.

Registration of OATH HOTP Hardware Authenticators

Users can register their OATH HOTP authenticators using My Page. For more information, see OATH HOTP Hardware Authenticators .

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change