My Page Recovery Policy
You can enhance security during recovery by implementing an identity verification workflow, ensuring that only authorized individuals can recover access to My Page in the event of a lost, stolen, or damaged authenticator. The My Page Recovery Policy allows you to strengthen the recovery process by integrating an identity verification provider. This policy requires selecting at least one identity source to identify the relevant user population.
Additionally, you can define specific rules for the "My Page Recovery Policy" to determine when and for whom it applies, allowing for customization based on different user groups.
Note: Credential recovery only functions for users with a single registered authenticator. It does not work for users whose single authenticator represents two separate credentials.
Configure My Page Recovery Policy
The My Page Recovery Policy exists by default. You can choose to enable and configure it, or disable it if needed. However, unlike other access policies, this policy cannot be cloned, deleted, or used to view access logs. If you disable the policy, its current configurations are saved and can be restored when the policy is re-enabled.
Before you begin
You must be a Super Admin in the Cloud Administration Console.
You need to configure a user verification identity provider to use it within the My Page Recovery Policy. For more information, see Identity Verification Providers.
In the Cloud Administration Console, enable My Authenticators under Access > My Page > My Authenticators.
In the Cloud Administration Console, enable Enrollment and Recovery Settings under Access > My Page > Enrollment and Recovery.
Procedure
In the Cloud Administration Console, click Access > Policies.
- On the Policies page, click Enable next to the My Page Recovery Policy.
On the Available Identity Sources page, select identity source(s) from the list to identify the target user population for this policy. Select at least one identity source.
Click Next Step.
On the Rule Sets page, do the following:
Enter the rule set name.
In the Apply to field, select All Users to allow application access to all users who authenticate or Selected Users if you want to apply this rule set only to users who match the user attribute expressions in this rule set.
Access Details: The Access setting determines how user access is managed based on the selected user population.
Allowed: Cloud Access Service (CAS) evaluates the request to determine if additional authentication is required. In the Identity Verification section, in the Method field, select one of the following methods if the Allowed option is selected:
Identity Verification Method Description Password + Email Verification This method requires users to enter their password and then verify their identity by entering a code sent to their registered email address upon request. Password+ Identity Verification Providers This method combines password authentication with an additional layer of identity verification provided by third-party services to enable access to enrollment. In the Identity Verification Provider field, select an identity verification provider.
This feature is offered as an add-on. For more information, please contact your RSA Sales Representative.
Password + SMS/Voice Code This method combines password authentication with an extra layer of security by using a one-time passcode (OTP) sent via SMS or voice call to the user's registered phone number. For information on configuring the SMS/Voice OTP validity period, see the Set Up Enrollment Settings section in Manage My Page.
This feature is offered as an add-on. For more information, please contact your RSA Sales Representative.
Email Verification + SMS/Voice Code This method combines email verification with an extra layer of security by using a one-time passcode (OTP) sent via SMS or voice call to the user's registered phone number. For information on configuring the SMS/Voice OTP validity period, see the Set Up Enrollment Settings section in Manage My Page.
Email Verification + Identity Verification Providers This method combines email verification with an additional layer of identity verification provided by third-party services to enable access to enrollment. In the Identity Verification Provider field, select an identity verification provider. SMS/Voice Code + Identity Verification Providers This method combines one-time passcode (OTP) sent via SMS or voice call to the user's registered phone number with an extra layer of identity verification provided by third-party services to enable access to enrollment. In the Identity Verification Provider field, select an identity verification provider. For information on configuring the SMS/Voice OTP validity period, see the Set Up Enrollment Settings section in Manage My Page.
Note: When selecting identity verification methods, such as "Password + Email Verification" or "Password + SMS/Voice Code", RSA strongly recommends limiting user recovery options based on conditional attributes, such as the user's country, known browser, and identity confidence. This approach minimizes security risks by applying conditional logic based on each user's specific circumstances.
Conditional: CAS evaluates the request based on specified conditions. Click Add to include a new condition for determining user access based on contextual conditions. In the Authentication Condition dialog box:
(Optional) Select an operator (OR or AND) to determine how each attribute and value pair is combined.
Select the Attribute and specify the Value. The context of the user’s request will be compared against the specified value for the chosen attribute.
Select the Action to be performed when the user's request matches the configured conditions:
Deny Access: Select this option to deny access when conditions are met.
Verify Identity: Select this option if you need to verify the user’s identity. Then, select an identity verification method from the available options in the Method field.
Click Save.
Note: Conditions are evaluated in the order they are listed. You can drag and drop to reorder them as needed. Conditions that do not match any criteria are evaluated last.
Click Save and Finish.
Click Publish Changes.
CAS enforces this access policy immediately for recovery to My Page. This policy does not impact existing registrations.
Example
The following example describes how the My Page Recovery Policy works for an allowed user.
The administrator adds a user verification identity provider and configures its workflow.
The administrator then enables the My Page Recovery Policy.
The administrator sets up a rule requiring sales users to complete the recovery process on My Page using an identity proofing method and an identity verification provider.
When a sales user opens the secure recovery URL, they enter their User ID, password, and country information, followed by scanning their ID. The sales user can then report a lost, stolen, or damaged authenticator.
Once reported, the credential is immediately deleted from CAS, and the sales user receives an email notification if the email feature is enabled.
The sales user is then allowed to register a new authenticator.
Related Articles
Robin - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views Manage Applications Number of Views My Page Enrollment Policy Number of Views Cloud Access Service Quick Setup Guide for My Page SSO - Step 7: Enable My Page Number of Views Configure Attribute Mappings for Identity Verification Providers Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
