These release notes include product updates and bug fixes.

• March 2026 - Cloud Access Service
• February 2026 - Cloud Access Service
• January 2026 - Cloud Access Service 
• December 2025 - Cloud Access Service

For additional information, see RSA Community for RSA product documentation.

For release notes before December 2025, see Release Notes Archive - Cloud Access Service and Authenticators.

March 2026 - Cloud Access Service 

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Granular Control for FIDO Authenticators

You can now precisely define which FIDO authenticators can be used for registration and authentication by enabling or disabling them based on various parameters. To define the FIDO authenticators, navigate to Cloud Administration Console > Access > FIDO Authentication.

Note: FIDO inline registration and registration of new U2F authenticators are no longer supported. Previously registered U2F authenticators can continue to be used for step-up authentication.

OAuth JWT Support

OAuth JWT support is now available to enhance the security of external identity source SCIM client connections to CAS. SCIM access can now be secured using OAuth-based authentication instead of legacy API keys, providing stronger protection and improved control over integrations. To configure this feature, navigate to Cloud Administration Console > Platform > API Access Management. To apply the configuration to a SCIM identity source, navigate to Cloud Administration Console > Users > Identity Sources.

Group Membership Details in All Users Report

The All Users report now includes three new columns: CAS Global Groups, Identity Source Specific Groups, and Identity Source Type. This update provides a complete, single view of user-to-group relationships, reduces reliance on multiple reports, and improves auditability and compliance. To download the CSV report, navigate to Cloud Administration Console > Users > Reports, then click Download CSV next to All Users.

API Enhancement: Additional User Identifier Support

The Cloud Administration Retrieve Device Registration Code API, Cloud Administration User Details API, and Cloud Administration Authenticator Details API Version 1 now support the username input parameter to identify the user being managed. This enhancement provides greater flexibility when integrating with systems that use usernames as the primary user identifier.

Identity Router (IDR) Portal SSO Enhancements

SAML applications available from CAS legacy IDR SSO portal now include the following security and usability improvements:

• The maximum character length for IDR SAML application names increased from 100 to 200 characters to make applications easier to identify.
• The LDAP/AD user search filter configured in each identity source can now be globally enabled in the IDR portal to exclude users from authenticating. The portal does not attempt password authentication against the identity source, preventing password strikes that could lock user accounts.
• SAML application configuration now supports attribute filters, allowing control over which user attributes are sent to each application and helping prevent over-granting of access permissions. You can configure these attribute filters on the Fulfillment tab while adding a SAML Direct application. To access this option, navigate to Cloud Administration Console > Applications > Application Catalog. 

Access Discovery on My Page

My Page is now enhanced with access discovery, providing managers and application owners with a complete view of access across all accounts, including those outside the standard Lifecycle Management process. This enhancement eliminates critical security blind spots, enables proactive risk mitigation, and ensures accountability for every entitlement, regardless of how it was provisioned. To view this enhancement, navigate to My Page > Access Control.

Third-Party Integrations from RSA Ready

The following integrations are completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• New Integrations for ID Plus

• CrowdStrike Falcon Next-Gen SIEM (Authentication Manager Logs)
• Microsoft Sentinel Connector
• Microsoft Sentinel using Logic App
• SilverFort Bridge (SAML) 

• Updated Integrations for ID Plus

• BeyondTrust Password Safe (RADIUS)
• Palo Alto Captive Portal (SAML)
• Palo Alto Cloud Identity Engine (SAML)
• Palo Alto NGFW Global Protect (RADIUS, SAML)
• Workday (SAML)

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issues

The following table lists the fixed issues for this release:

February 2026 - Cloud Access Service 

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Expanded HOTP Hardware Authenticator Support

Support for HOTP hardware authenticators now includes devices seeded with SHA-256 or SHA-512, in addition to SHA-1. This enhancement increases compatibility with a wider range of authenticator models, including Thales SafeNet eToken PASS, SafeNet OTP 111, and SafeNet OTP 112. It also provides greater flexibility when selecting and deploying hardware authentication options while maintaining a secure, seamless sign-in experience.

RSA Cloud Access Service Now Supports FIDO Discoverable Credentials

Improved Identity Router (IDR) Connectivity with MFA/ REST Agent

The TCP agent in IDR is replaced with an MFA/REST agent, moving to a standardized REST/MFA architecture. This transition simplifies support, logging, metrics, and troubleshooting, while making upgrades and agent replacement easier. Standardizing the communication protocol across components also improves consistency, resulting in a more reliable and maintainable deployment experience. To apply this update, navigate to the Cloud Administration Console > Platform > Authentication Manager, then click Configure Connection.

Note: This migration is available if you have an existing TCP connection and the Identity Router (IDR) is upgraded to 12.24.0.0.10.

Coming Soon - (March Release)

RSA MFA Agent for UNIX 9.1 (Formerly RSA MFA Agent for PAM)

The RSA MFA Agent for PAM is now renamed RSA MFA Agent for UNIX to align with the naming conventions used across other RSA agents, such as RSA MFA Agent for Windows and RSA MFA Agent for macOS. This update improves consistency across platforms, making it easier to identify, deploy, and manage RSA MFA agents in various operating system environments.

The RSA MFA Agent for UNIX 9.1 includes the following features (Linux OS only):

• A consistent, secure, and simplified passwordless sign-in experience using one-time passwords (OTP) and emergency access codes.
• Passwordless authentication using mobile passkeys and biometric push notifications through the RSA Authenticator app for iOS and Android, in combination with the RSA MFA Agent for UNIX.
• Support for TLS 1.3 when connecting to CAS, providing faster connections and stronger protection against modern security threats.
• Code matching mode support for both Approve and Biometric push notifications, enhancing the verification process and reducing the risk of unauthorized access.

RSA MFA Agent 2.5 for Windows

• Native offline QR code–based passwordless authentication will enable users to authenticate without network connectivity or OTP entry.
  •  This requires RSA Authenticator 4.7 for iOS and Android.
• Support for Passwordless authentication methods in Authentication Manager (AM)/CAS Hybrid mode.
  • This requires RSA Authentication Manager 8.9. 
• Configurable proximity check will strengthen passwordless authentication by adding an extra layer of security, ensuring access is granted only when the authenticator is activated near the device.
  • This requires RSA Authenticator 4.7 for iOS and Android.
• The RSA MFA Agent for Windows now supports TLS 1.3 when communicating with RSA CAS or RSA Authentication Manager, enhancing overall security.
• Users can sign in securely without passwords by using one-time password (OTP) both online and offline, streamlining the authentication experience.

RSA Authenticator 4.7 for iOS and Android

• Redesigned notification experience providing users with more consistent and clearer presentation of information.
• Improved security by requiring biometric or device password authentication when registering new Cloud credentials. 
  • This only applies to Cloud credentials, not to AM-based credentials. For further details, see Coming Soon: RSA Authenticator 4.7 for iOS and Android.
• Proximity detection and offline QR code authentication support for passwordless methods with new versions of RSA Agents, such as RSA MFA Agent 2.5 for Windows.
• Location information in notifications.

Updates to FIDO and U2F Authentication Support

As part of the ongoing process to strengthen and simplify FIDO support, RSA is making the following changes:

• Users can no longer register new FIDO Universal 2nd Factor (U2F) authenticators. Existing U2F authenticators will continue to be supported for step-up authentication. 
  •  U2F authenticators cannot be used for passwordless authentication.
• Online FIDO2 registration during login is no longer supported. FIDO2 Authenticators can now only be registered though My Page.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issues

The following table lists the fixed issues for this release:

January 2026 - Cloud Access Service 

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Support for Signing Both SAML Response and Assertion in CAS

CAS now supports signing both the entire SAML response and the assertion within the response, enabling integration with protected resources that require dual-signature SAML validation. To enable this capability for My Page SSO or a relying party application, add a new application or edit an existing application in the Cloud Administration Console. In the SAML Response Protection section, select IdP signs entire SAML response and assertion within response.

FIDO Registration API Transaction ID Support

The FIDO Registration API now includes a Transaction ID, which is also captured in the corresponding user audit events. This enhancement improves visibility and traceability of FIDO registration activities. To view the Transaction ID in user audit logs, go to Cloud Administration Console > Users > User Event Monitor.

Identity Router REST API Configuration Network Zone Enhancements

You can now configure the Identity Router REST API in CAS with updated network zone settings, giving you more flexibility, consistency, and future-ready policy and configuration management. To select a network zone, go to Cloud Administration Console > My Account > Administrators, click Add an Administrator, and select a Network Zone in the API Configuration section.

Network Zone Support in Policies

You can now configure policies using network zone, replacing the legacy Trusted Network attribute to provide enhanced security and greater control. This update streamlines policy management and future-proofs access controls by enabling seamless migration and deprecation of outdated attributes. To set the Network Zone attribute, go to the Cloud Administration Console, create a new policy or edit an existing one, and in the Rule Sets section, choose Network Zone attribute from the Authentication Condition list. 

RADIUS Clients Report Now on RADIUS Page

The RADIUS Clients Report is now available on the RADIUS page, providing you with improved visibility into configured RADIUS clients and simplifying monitoring and management. To download the CSV report, go to Cloud Administration Console > Authentication Clients > RADIUS.

Identity Router (IDR) 12.24.0.0.10 Now Available

The IDR 12.24.0.0.10 release is now available. We recommend that all customers upgrade to this version.

Note: The Identity Router appliance runtime has been upgraded from Java 8 to Java 11 to align with current long-term support standards and enhance security. 

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

Coming Soon 

RSA Authenticator 4.7 for iOS and Android (January-February)

• Redesigned notification experience providing users with more consistent and clearer presentation of information.
• Improved security by requiring biometric or device password authentication when registering new Cloud credentials.
  • This only applies to Cloud credentials, not to Authentication Manager (AM)-based credentials. For further details, see : https://community.rsa.com/s/article/Coming-Soon-RSA-Authenticator-4-7-for-iOS-and-Android.
• FIPS 140-3 certified cryptographic modules
• Proximity detection and offline QR code authentication support for passwordless methods with forthcoming versions of RSA Agents.

RSA Authentication Manager V8.9 (January)

• Administrator SDK qualified with JDK 11 and JDK 17
• BSAFE 7 upgrade (FIPS 140-3 certified)
• RSA Agent passwordless authentication methods support when deployed in AM /CAS hybrid mode

RSA MFA Agent V2.1 for macOS (January)

• Passwordless authentication methods are supported in AM/CAS hybrid mode through the RSA MFA Agent for macOS, enabling seamless passwordless authentication across hybrid deployments. 
  • This requires RSA Authenticator V4.7 for iOS and Android.
• Support for FIDO2 security keys is now available.
  • Users can now use FIDO2 security keys for passwordless authentication.

RSA MFA Agent V2.5 for Windows (February)

• Native offline QR code–based passwordless authentication will enable users to authenticate without network connectivity or OTP entry; this will require RSA Authenticator v4.7 for iOS and Android.
• Passwordless authentication methods will be supported in AM/CAS Hybrid Mode via the RSA MFA Agent for Windows, enabling seamless passwordless authentication across hybrid deployments.
  • This will require RSA Authentication Manager 8.9.
• Configurable proximity checks will strengthen passwordless authentication by adding an extra layer of security, ensuring access is granted only when the authenticator is activated near the device.
  • This will require RSA Authenticator v4.7 for iOS and Android.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issue

The following table lists the fixed issue for this release: 

Known Issue

The following table lists the known issue in this release:

December 2025 - Cloud Access Service

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Improved Search in User Management

The User Management page in the Cloud Administration Console now includes enhanced search capabilities. You can search for users by first name, last name, or a combination of both, even when the user’s email address does not contain personally identifiable information (PII). You can also search using Mobile Lock ID for greater flexibility. These improvements provide a more efficient and accurate search experience, making it easier to find and manage user accounts across the system. To access the User Management page, go to Cloud Administration Console > Users > Management.

Enhanced User Interface for Bulk User Maintenance

The Bulk User Maintenance page now features a modern, more intuitive interface that provides a faster, more responsive, and consistent administrative experience.. This update streamlines navigation, improves usability, and ensures smoother interactions across all bulk user operations, enabling you to manage large user sets more efficiently and with greater confidence. To access the Bulk User Maintenance page, go to Cloud Administration Console > Users > Bulk User Maintenance.

Enhanced Role Management in My Page Access Control

The Access Control screen in My Page is enhanced to give application owners and managers greater control over role assignments. Application owners and managers can now use the Access Control tab in My Page to manage role assignments more effectively, enabling more efficient management of user access and ensuring that role assignments remain accurate and up to date. To access the Modify User Role screen, go to My Page > Access Control.

Governance & Lifecycle Connection to CAS

Governance & Lifecycle Connection to CAS is now available with an easy, wizard-based setup that streamlines configuration and enhances information sharing to strengthen your identity posture management. The Cloud Administration Console now includes a Governance & Lifecycle page under the Platform menu, providing the Registration Code and Registration URL to integrate with CAS.

New FIDO Management API Client Type

The API Client now includes a new FIDO Management API client type in the Client Type dropdown, enabling more flexible, service-driven authenticator enrollment workflows. The FIDO Management API assumes the caller has already validated the user, allowing you to register a user’s authenticator without requiring an active end-user session. This capability supports call-center and bulk issuance flows, automated enrollment processes, and help-desk–initiated actions. With this enhancement, you can trigger authenticator enrollments directly from your help desk or automation tools, streamline onboarding and recovery, and maintain user productivity during incidents or migrations. In the Cloud Administration Console, you can add the "FIDO Management API" client type via Platform > API Access Management > Add API Client.

Coming Soon - Deprecation of TCP Connection Between CAS and AM

RSA announces the upcoming deprecation of the TCP Agent connection between CAS and AM. If your environment is configured to connect to AM through Cloud Administration Console > Platform > Authentication Manager > Connection to Authentication Manager, you will need to update your configuration after the upcoming IDR release. This integration will transition to the Authentication Manager REST Agent, replacing the existing TCP Agent connection. At this time, no immediate action is required. Detailed instructions and timelines will be shared prior to the deprecation to guide you through the transition and ensure uninterrupted connectivity between CAS and AM.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issue

The following table lists the fixed issue for this release: 

Known Issue

The following table lists the known issue in this release: