Live Verification Policy

The Live Verification Policy determines which authentication methods are available for real-time identity verification. Enabling this policy makes the Live Verification feature available, providing secure and consistent identity verification during help desk interactions.

The Live Verification feature allows Super Administrators and Help Desk Administrators to confirm a user's identity in real time using any registered multi-factor authentication (MFA) method. This feature strengthens security by ensuring that only verified users can receive assistance with account-related tasks. It helps prevent impersonation and reduces the risk of unauthorized access.

To use this feature, make sure that the Live Verification Policy is enabled. For information about how to initiate the Live Verification process, see Live Verification for Users

Note:  Live Verification is included with the ID Plus E3 plan and available as an add-on for other subscription plans. For more information, contact RSA Customer Support.

Best Practices for Live Verification Policy

RSA recommends the following best practices when configuring the Live Verification Policy:

• Set primary authentication methods: Ensure users authenticate with a primary authentication method. Choose options that are both secure and accessible for users, such as QR Code or Authenticate OTP.

• Secure with adaptive access: Use Conditional Attributes to prevent verification from high-risk locations or known suspicious IP addresses.

• Add Mobile Lock protection: Enable the Mobile Lock feature to prevent unauthorized remote access to compromised devices.

• Enhance security with Risk AI: Use Identity Confidence in policy rule sets to dynamically assess risk levels and enforce High assurance levels to prevent unauthorized verification attempts.

Configure Live Verification Policy

The Live Verification Policy exists by default. You can enable and configure it or disable it as needed. Disabling this policy also makes the Live Verification feature unavailable. Unlike other access policies, you cannot clone or delete the Live Verification Policy, and the View Usage option is not available for this policy. When you disable the access policy, the current configurations are saved and are available when the access policy is enabled again.

Before you begin 

• You must be a Super Administrator in the Cloud Administration Console.

Procedure 

1. In the Cloud Administration Console, click Access > Policies.

2. On the Policies page, enable the Live Verification Policy.

3. On the Basic Information page, optionally enter a policy description.

4. On the Available Identity Sources page, select at least one identity source to define the target user population.

5. Click Next Step.

6. On the Primary Authentication page, select the Default Method you want to make available for primary authentication. Then, click ADD to add Alternate Methods. Users will see the selected primary authentication methods, based on the specified order, starting with the selected Default Method.

7. Click Next Step.

8. On the Rule Sets page, do the following:

   1. Enter the rule set name.

   2. In the Apply to field, select All Users to allow application access to all users who authenticate or Selected Users if you want to apply this rule set only to users who match the user attribute expressions in this rule set.

   3. In the Selected users must match field, indicate how closely the user request must match the user attributes.

   Option	Result
   Any	The user request can match any single user attribute, but is not required to match all user attributes.
   All	The user request must match all user attributes in the rule set.

   1. Click Add to add a user attribute expression that selects users.

   2. In the User Selection Rule dialog box, use the User Attribute, Operation, and Value fields to define the target population. The User Attribute field is case sensitive. For detailed information on operations, see Operators for Using LDAP Attributes in Access Policies.

   3. Access Details: The Access setting determines how user access is managed based on the selected user population.

      • Allowed: Cloud Access Service (CAS) evaluates the request to determine if additional authentication is required.

      • Conditional: CAS evaluates the request based on specified conditions. Click Add to include a new condition for determining user access based on contextual conditions. In the Authentication Condition dialog box:

        • (Optional) Select an operator (OR or AND) to determine how each attribute and value pair is combined.

        • Select the Attribute and specify the Value. The context of the user’s request will be compared against the specified value for the chosen attribute.

        • Select the Action to be performed when the user's request matches the configured conditions:

        • Click Save.

   1. In the Additional Authentication field, select one option.

   Option	Description
   Required	Always require additional authentication.
   Not Required (default)	Additional authentication is not required.

   1. If you selected Required, also select an Assurance Level. These options specify the authentication methods to use during authentication. The assurance level (Low, Medium, or High) indicates the relative strength and security of the methods. Users can select options from higher assurance levels. For example, if you select Low, users will see authentication options from the Low, Medium, and High assurance levels.

9. Click Save and Finish.

10. Click Publish Changes.

CAS enforces this policy immediately for Live Verification.