August 2020 - Cloud Authentication Service (Identity Router)

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule. Note that starting in August 2020, identity router updates will be released independently from Cloud Authentication Service updates.

Date	Description
8/25/2020	Updated identity router software is available to all customers.
9/26/2020 (EMEA, ANZ) 10/3/2020 (US)	Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
10/31/2020	If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

Deployment Type	Version
On-premises	2.10.0.0.5
Amazon Cloud	RSA_Identity_Router 2.10.0.0.6

Android and iOS Users Must Upgrade SecurID Authenticate 2.x App the Latest Version by October 12, 2020

We are continually enhancing SecurID by adding new features and keeping up-to-date with security best practices. To keep up with these changes, users with SecurID Authenticate 2.x for Android or iOS must upgrade to the latest version available in the Apple App and Google Play stores by October 12, 2020. After this date, 2.x users will not be able to authenticate. SecurID strongly recommends that you upgrade users as soon as possible to avoid any interruptions or downtime. For more information, see this advisory.

Integrate FIDO Authentication Using Cloud Administration API

The RSA Cloud Administration APIs now include support for FIDO. Customers and RSA Ready technology partners can enable their commercial and custom applications to enroll FIDO Tokens leveraging these APIs in addition to using SecurID for FIDO-based authentication. For more information, see Cloud Administration FIDO Authenticator API.

Modernized SecurID Application Portal

SecurID has redesigned the SecurID Application Portal with the same modern look-and-feel that users already see in the web authentication and My Page screens. Improvements include an updated visual design, accessibility improvements and improved ability to display custom customer logos. For example:

Delete Authentication Manager Connection Information

If your Cloud Authentication Service deployment was integrated with SecurID Authentication Manager and it allows users with SecurID Tokens to access cloud-protected resources, you can now delete unused connections. Deleting prevents you from receiving unnecessary logging errors.

Note:  Use this feature only after you have updated the identity router software to version 2.10.0.0.5.

For more information, see Delete the Connection Between the Cloud Authentication Service and RSA Authentication Manager.

Fixed Issues

Fixed Issue	Description
NGX-50436	In the Cloud Administration Console, informational text and online Help for High Availability Tokencode were corrected.
NGX-48685	An identity router configured with one network interface was unable to connect to Authentication Manager after reboot unless an administrator clicked Update IDR Setup Configuration on the Identity Router Setup page. This problem has been fixed.
NGX-48520	In the Cloud Administration Console, the Last Used On field was removed from the User Management page because it did not apply to mobile devices.
NGX-47885	The browser autocomplete feature is no longer enabled for text fields on the SecurID Application Portal and the Identity Router Setup Console.
NGX-46349	Previously, disabling Identity Confidence Collection in the Cloud Administration Console on the My Account > Company Settings > Company Information page broke access policies that used the Trusted Network conditional policy attribute and were used by applications configured for single sign-on (SSO). This problem has been fixed.
NGX-44842	In the Cloud Administration Console, the user interface design and Help text have been improved to make it easier to configure user attributes when you add an identity source.
NGX-44332	The identity router can now communicate with its software update repositories over TLSv1.2.

 

SecurID Authenticate 3.3 App for Windows

SecurID Authenticate 3.3 app contains modifications that are required for future app releases. To ensure that Windows users with earlier versions have the latest product improvements, these users must upgrade the app to version 3.3 to avoid re-registration.

July 2020 - RSA MFA Agent 2.0 for Microsoft Windows

RSA MFA Agent 2.0 for Microsoft Windows leverages the Cloud Authentication Service and RSA Authentication Manager 8.5 to provide strong multifactor authentication to users signing into Windows, both online and offline. The MFA Agent provides multiple authentication options for users, along with features that improve user productivity and security during Windows sign-in. This update contains many new features, including:

• Authentication to both Cloud Authentication Service and RSA Authentication Manager 8.5. You can choose from the supported multifactor authentication options based upon your business needs.

• Offline authentication available for both RSA Authentication Manager and Cloud Authentication Service users.

• REST-based agent that addresses security and compliance needs with strong crypto algorithms.

• Enhanced load balancing and failover with additional administrative controls and new options for customizing the user sign-in experience.

For complete information on new features, see RSA MFA Agent 2.0 for Microsoft Windows Release Notes.

RSA also offers an MFA Agent for the macOS. For complete documentation, see RSA MFA Agent 1.0 for macOS.

July 2020 - SecurID Authenticate App for Android

RSA Authenticate 3.6 for Android app now supports face recognition. Devices must meet the Android security specifications and have a strong rating to allow use of Biometric authentication (face recognition and fingerprint) within the Authenticate app. For example, the Pixel 4 device supports strong facial recognition technology. See https://source.android.com/security/biometric/measure for more information. Users should check with their device vendors to confirm if their devices are compatible.

This release also contains miscellaneous bug fixes and improvements.

July 2020 - Cloud Authentication Service

New API Provides License and Usage Information

RSA is providing a new API to help you integrate your existing tools and gain visibility into your company’s license and usage information, which is important for planning and budgeting your future license upgrades. The Cloud Administration Retrieve License Usage API allows administrators to access the number of MFA licenses used, the number of users with third-party FIDO authenticators, and the total number of SMS and Voice Tokencodes sent for the current month. You can use this data for external trending analysis. For more information, see Cloud Administration Retrieve License Usage API.

Fixed Issues

Fixed Issue	Description
NGX-48522	Under certain circumstances, users who authenticated through a relying party had to press the tab key twice in order to move the cursor to the password field. This problem has been fixed.
NGX-47434	The documentation has been updated to indicate that users who sign in to My Page are automatically synchronized to the Cloud Authentication Service. For details, see the "Just-in-Time Synchronization" section on the Identity Sources for the Cloud Authentication Service.
NGX-44932	Previously, there was no way to delete a certificate chain from the Company Settings > Company Information page. Now you can click Delete to delete the certificate chain.

June 29, 2020 - SecurID Authenticate App for iOS and Android

RSA Authenticate 3.5 app for iOS and Android contains miscellaneous fixes and improvements. On Android devices, this update is qualified with Android OS 6.x and later.

Authenticate Key Technical Preview

The app includes Authenticate Key, a FIDO-based authenticator that can be used for primary and additional authentication. This is a Technical Preview feature that is disabled by default. If you are interested in enabling this feature, contact RSA.

Fixed Issues

Fixed Issue	Description
NGX-40499	The copyright for the Authenticate app has been updated to 2020.
NGX-40276	Removing PIN protection from the iOS app in a registered device with multiple PIN protected accounts no longer causes other PIN-protected accounts to re-lock immediately after authentication.
NGX-44181	An Android device that had not been jailbroken incorrectly displayed a noncompliance message. This problem has been fixed.

Known Issue

Known Issue	Description
NGX-48898	Problem: When users install the iOS app, a message indicates that Bluetooth must be turned on to use Authenticate Key. Workaround: Users who do not plan to use Authenticate Key should ignore this message.

June 2020 Cloud Authentication Service

The June 2020 release includes the following features and benefits.

More Value for Enterprise and Premium Editions with YubiKey for RSA SecurID Access

Customers with RSA SecurID Access Enterprise or Premium Edition can now use YubiKey for RSA and other third-party FIDO authenticators without purchasing additional licenses. Previously, these customers had to purchase a separate MFA license for each user to use these authenticators. FIDO authenticators provide a positive user experience and help prevent man-in-the-middle and phishing attacks for FIDO-enabled authentication use cases.

RSA Authentication API Supports FIDO/FIDO2

The RSA Authentication API now supports FIDO/FIDO2 for authentication. Along with other RSA-supported MFA options, customers and RSA Ready technology partners can enable commercial and custom applications to use RSA for FIDO authentication. For more information, see RSA Authentication API Developer's Guide.

Easy Access to License and Usage Information

Customers can now easily access their current Cloud Authentication Service license and usage information in the Cloud Administration Console for compliance and operational needs. For more information, see Cloud Administration Console Dashboard.

Fixed Issues

Fixed Issue	Description
NGX-47287	Certain client applications (for example, MS Office applications) that used older JavaScript engines displayed a script error during authentication. This issue has been resolved.
NGX-45622	When entering Authenticate Tokencode during authentication, RADIUS client users who enter a space after four digits (as displayed in the RSA SecurID Authenticate app) are now able to successfully authenticate.
NGX-44853	The documentation now explains that when you upload a company logo to My Page, that logo can also be used for the relying party sign-in page and on additional authentication screens presented to users. See Using Custom Settings in Your Cloud Authentication Service Deployment.

May 2020 - Cloud Authentication Service

The May 2020 release includes the following features and benefits.

Allow Emergency Tokencode to replace FIDO when FIDO is used for Primary Authentication

Users can use Emergency Tokencode to sign in when they misplace or lose their FIDO authenticator. Emergency Tokencode allows them to access SaaS and web applications that are protected using FIDO as a primary authentication method. For more information, see the "FIDO" section on Authentication Methods for Cloud Authentication Service Users.

Securing the Password Reset Process for Administrators

Securely resetting Cloud Administration Console passwords is even better. Now, password resets must be completed within two hours of requesting the password reset link.

Fixed Issues

Fixed Issue	Description
NGX-45653	Previously, the User Event Monitor email autocomplete did not show events for users with apostrophes in their email addresses, forcing users to enter the full email address with apostrophes in the filter box in order to see events. This problem has been fixed.
NGX-45485	When just-in-time synchronization was enabled, users who attempted to authenticate during an automatic or manual identity source synchronization might become disabled when they should have remained enabled. This problem no longer occurs.
NGX-22987	Microsoft Azure Active Directory provided the email address instead of the UPN in authentication requests for guest users. This problem has been fixed. Now the Cloud Authentication Service takes the user identity from the email address if the UPN is omitted.

Known Issue

Known Issue	Description
NGX-45622	Problem: When entering Authenticate Tokencode during authentication, RADIUS client users who enter a space after four digits (as displayed in the RSA SecurID Authenticate app) are unable to successfully authenticate. Workaround: Do not enter the space during authentication.

April 2020 - Cloud Authentication Service (Identity Router)

The April 2020 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

Date	Description
April 28, 2020	Updated identity router software is available to all customers.
July 11, 2020 (ANZ) July 25, 2020 (EMEA, US)	Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
August 15, 2020	If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

Deployment Type	Version
On-premises	2.9.0.0.4
Amazon Cloud	RSA_Identity_Router 2.9.0.0

Enterprise Edition Supports Additional Conditional Access Policy Attributes

Most access policy attributes that were previously available only to customers with Premium Edition are now available to all customers with Enterprise Edition. This feature provides Enterprise customers with greater flexibility in defining conditional access policies. For example, you can enforce different authentication requirements for trusted and untrusted locations. For the list of available attributes, see SecurID Access Editions.

Support for Threat-Aware Authentication Extended in Cloud Administration API

RSA SecurID Access Threat Aware Authentication now supports additional customer scenarios in the Cloud Administration of High-Risk User API version 2. You can now manage high-risk users based on Primary Username and Alternate Username. See Cloud Administration Retrieve High-Risk User List API Version 2.

Note:  Primary Username temporarily still appears as RSA SecurID Access Username in the Cloud Administration Console.

Data Collection for Identity Confidence and Location Can Be Disabled from the Cloud Administration Console

Data collection for identity confidence and location can now be disabled and re-enabled from the Cloud Administration Console. For more information, see Configure Company Information and Certificates and Condition Attributes for Access Policies.

Action Required If Identity Confidence Data Collection is Already Disabled for Your Deployment

If you previously disabled identity confidence data collection on the identity router with the assistance of RSA Customer Support, you must now use the Cloud Administration Console to disable this function. After you update your identity router software to the 2.9.0.0.4 version, data collection will be automatically enabled. To disable data collection, open the Cloud Administration Console and click My Account > Company Settings. In the Identity Confidence Collection field, click Disabled.

Editable Preconfigured Access Policies

All of the preconfigured access policies provided with can now be edited for immediate customization. See Preconfigured Access Policies.

Delete a User Immediately Using New Cloud Administration API

Use the Cloud Administration Delete User Now API to delete a single disabled user from the Cloud Authentication Service and immediately remove all information and devices associated with the user. See Cloud Administration Delete User Now API.

Permissions List Available for SecurID Authenticate and RSA SecurID Software Token Apps

You can download a list of all permissions associated with using the RSA SecurID Authenticate and RSA SecurID Software Token apps. Use this document to inform your users which permissions are optional and which are required. See RSA SecurID Authenticate and RSA SecurID Software Token App Permissions.

Additional Improvements

The April 2020 release contains the following additional improvements and changes:

• Six new videos demonstrate how to configure the Cloud Authentication Service. See Cloud Authentication Service Videos.

• All references to FIDO Token have been changed to FIDO in the documentation and user interface.

Fixed Issues

Fixed Issue	Description
NGX-41625	Google will slowly roll out a change to the cookie behavior in Google Chrome version 80 or later. This changed cookie behavior does not affect most RSA users. However, there is a possibility that users who have version 80 and authenticate to the RSA SecurID Access Application Portal might experience step-up authentication failure if the authentication session is longer than two minutes. This problem has been fixed. For more information, see Immediate Action Recommended for Certain SSO Agent Deployments to Handle Google Chrome 80 Changes.
NGX-43410	Publishing configuration changes sometimes failed if the identity router was processing a RADIUS authentication request during the publish. This problem no longer occurs. RSA recommends publishing during off-peak hours when there is less authentication traffic.
NGX-42825	A customer's identity router registration failed at the final step "Checking for connection for authentication and product maintenance." This problem has been fixed.
NGX-42179	On the identity router, some HTTP pages included unnecessary technical information. This problem no longer occurs.
NGX-41473	Email notifications configured in the Cloud Administration Console were being sent from a RSA account on behalf of emails domains that are unconfigured for this account. As a result, the notifications were blocked by SPAM filters. This problem has been fixed. The From email address has been changed to noreply@securid.com.
NGX-41467	When using change password functionality with a custom portal, the customer now receives the response in JSON format.
NGX-16781	Identity router problems occurred when the same resource was configured for multiple services. For example, if the DNS server was also the gateway, or if the DNS server and identity source used the same IP address. This problem has been fixed.
NGX-36432	The Identity Router Setup Console was incorrectly loaded in certain rare situations when unable to resolve the host name within the specified time. This problem has been fixed.
NGX-39900 NGX-41634 NGX-39859 NGX-39846 NGX-39088 NGX-39077 NGX-39081	Miscellaneous security vulnerabilities were fixed.

April 27, 2020 - RSA Security Key Utility Improvements

The RSA Security Key Utility version 1.1 has been updated to include:

• Performance improvements.

• User interface localized in Chinese, Portuguese, Japanese, French, Spanish, and German.

• Documentation updates.

For downloads, see RSA Security Key Utility. For upgrade instructions, see Using RSA Security Key Utility.

March 2020 - Cloud Authentication Service

Update Your IP Addresses to Connect to the Cloud Authentication Service

RSA is not releasing new features in March 2020. Instead, be reminded that you must update your firewall to allow your identity routers and user web browsers to connect to new IP addresses for the Cloud Authentication Service and Cloud Administration Console. These changes are required by our Cloud service provider. To prevent service disruption, your network must be able to connect to both the existing and new IP addresses by the following dates.

Region	New IP Addresses
ANZ	20.37.53.30, 20.39.99.202	Completed on March 20, 2020
EMEA	51.105.164.237, 52.155.160.141	Friday, April 3, 5:00 PM EDT
US	52.188.41.46, 52.160.192.135	Saturday, April 11

These dates and IP addresses are also published here.

It is important to know:

• During the maintenance window for this upgrade, authentication services will continue, but you may lose audit data and new device registrations. For example, lost data may include browsers that were "remembered" during maintenance and user actions on My Page. Users who register devices during this time must re-register.

• No configuration changes are required within the Cloud Authentication Service. If your firewall rules limit outgoing IP traffic, then you need to work with your IT team to add or whitelist the new IP addresses. If your firewall rules do not limit outgoing IP traffic, then you do not need to take additional action at this time.

For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console. If you use any third-party tools, such as Pingdom, to monitor your deployment, you might want to temporarily disable alerts during the migration.

March 19, 2020 - SecurID Authenticate for Android

RSA SecurID Authenticate 3.3 for Android includes enhanced compliance checks to ensure the device is not rooted before allowing use of the app. The app previously checked for compliance during registration. The app now checks for compliance whenever users open the app (for example, to complete registration or an authentication request) and in interactive notifications for Approve. If the Authenticate app detects that a device is rooted, the app displays a "Device Not Compliant" message and prevents use of the app.

If your users are using rooted devices, instruct your users to unroot their devices, re-install the RSA SecurID Authenticate app (if necessary), and complete registration again with the app.

March 9, 2020 - RSA Security Key Utility

RSA announces the release of RSA Security Key Utility, a Windows utility that you deploy on users' Windows machines to manage user verification for FIDO2-certified security keys. Users can use the utility to manage a PIN for the security key or reset the key.

RSA Security Key Utility works with any FIDO2-certified USB security key. For system requirements, installation instructions, and more, see Using RSA Security Key Utility.

You can provide the following video to your users to demonstrate how to create and reset a PIN using the utility. The video is also available in the user help:

 

Return to Release Notes Archive - Cloud Authentication Service and Authenticators.