Authentication Methods for Cloud Access Service Users
a month ago

Authentication Methods for Cloud Access Service Users

An authentication method is an action performed by the users to prove their identity. This topic describes the methods used for multi-factor authentication (MFA) that you can make available to users who are in identity sources that are configured for Cloud Access Service (CAS).

Authentication Manager Integration

You can expand the number of resources you protect and the authentication options you make available to users by integrating Authentication Manager with the CAS. For more information, see the following pages:

Authentication Methods

The following table lists the various authentication methods supported by RSA and the supported environments.

Authentication Methods

Accessing Resources Protected by CAS (Cloud Only)

Accessing Resources Protected by the Authentication Manager (On Premise)

Accessing Resources Protected by the Authentication Manager Connected to CAS (Hybrid)

FIDOYesNoOnly in Windows Agent
LDAP Directory PasswordYesNoNo
QR CodeYesNoNo
BiometricsYesNoYes
Push NotificationsYesNoYes
Authenticate OTPYesNoYes
SecurID OTPYesYesYes
SMS OTPYesNoYes
Voice OTPYesNoYes
Emergency Access CodeYesYesYes
OATH OTPYesNoNo

Note:  Authentication Manager supports LDAP Password from version 8.8, when authentications are performed using RADIUS clients. SMS and Voice OTP are not supported by Authentication Manager (On Premise). However, it supports On-Demand Authentication (ODA) using SMS OTP and Email OTP.

FIDO

CAS is a FIDO2 Certified Server.

RSA generally supports FIDO authentication for both primary and additional authentication.

For further information, refer to Getting Started with FIDO.

LDAP Directory Password

The LDAP directory password is used for primary authentication and to register devices. LDAP directory passwords are managed within the LDAP directory server. User records are synchronized from the LDAP directory server to identity sources in RSA. CAS must be able to reach your on-premise identity source for authentication to succeed.

If multiple servers are configured in the same cluster in the identity source, the identity router will select and connect to one server in a round robin method. If any directory server is down, the identity router will remove it from the connection pool. The remaining active servers will continue to service the LDAP requests. The identity router does not differentiate between primary and replica servers.

QR Code

When using QR code as an authentication method, a QR code is displayed in the authentication interface. Users can then scan it with the Authenticator App (or directly from the camera app on their device) and then tap Allow to approve the sign in request.

When a user attempts to access an application, the Authentication interface may support the QR Code authentication method, if enabled by an administrator. Then, users can use their device camera or the Authenticator App to scan the QR code. Users must respond within one minute; otherwise, the method times out and is considered a failed authentication.

Biometrics

RSA sends notification to the users' apps and prompts users to authenticate using a biometric option available on their devices, such as Fingerprint, Face ID (iOS), or face recognition (Android). Biometrics should be set up on users' devices.

If their devices do not support biometrics, this method will not be available.

Push Notifications

When using Push Notifications, the user attempting to sign in to an application will receive a push notification on the registered device or on an iOS/Android wearable device paired to the device. Depending on configuration, a user will be able to approve the notification from a watch or from their device and may have to provide further information, such as Code Matching information, or Biometrics. The user must respond within one minute, otherwise the authentication method will time out and ‘fail’.

If Code Matching has been enabled, users need to use a code to approve the notification. Based on the method configured, users can approve the push notification in one of the following ways:

  • Visual: Confirm the code shown on the screen and tap Approve.

  • Input: Enter the code shown on the screen and tap Approve.

  • Selection: Select the code that matches the code shown on the screen and tap Approve.

Authenticate OTP

Similar to SecurID OTPs, Authenticate OTP employs a one-time, randomly generated number called an OTP. This OTP is generated on a software authenticator. The OTP, which is verified by CAS, is time-based and must be used before it expires. These OTPs are valid for up to five minutes after they are generated and displayed on a user's device. The user is enrolled for this method automatically after device registration.

Protect Access to Authenticate OTP

You can require users to provide additional authentication to view the Authenticate OTP. This setting takes effect 24 hours after it is enabled or after the user restarts the app. The user must tap or click View OTP on the app home screen and authenticate before viewing the OTP.

The first time the user taps or clicks View OTP, the app prompts the user to create a PIN that is only used for viewing the Authenticate OTP. The PIN must be numeric, contain 4-10 digits, and cannot contain repeating or consecutive numbers, such as 1111 or 1234. You can configure the minimum PIN length. For instructions, see Configure Session and Authentication Method Settings.

The PIN applies to all Authenticate OTPs credentials in the Authenticator App. If users have multiple credentials in the app, their minimum PIN length is the longest minimum PIN length of their companies.

On iOS and Android, if the user has set up biometrics, the app prompts the user to authenticate with a biometric (for example, fingerprint or Face ID) instead of using a PIN. The user can also choose to skip or cancel biometrics and enter the PIN. If the user fails biometrics or has not set up biometrics, then the app prompts the user to enter the PIN.

On Windows, the app prompts the user to authenticate with the PIN.

If the user enters an incorrect PIN five times, the PIN is locked and the user must reset the PIN. To reset the PIN, users must do the following:

  • On iOS or Android, the app prompts the user for device unlock credentials, such as a passcode. The user must set up device unlock credentials to reset the PIN.

  • On Windows, the app prompts the user to delete all credentials that require authentication to view the OTP and then re-register those companies.

The user can authenticate to view the OTP with an online or offline device. However, if the user needs to reset the PIN on a Windows device, the user must be online. The user can reset the PIN online or offline on iOS or Android devices.

Integrated Deployments

If your company has deployed both CAS and AM, you can integrate the two products so that users can authenticate with authentication methods from both services on the same RSA Authentication Agent.

SecurID OTP

SecurID OTPs employ a one-time, randomly generated number called a one-time password (OTP), that is generated on a hardware or software authenticator. A Personal Identification Number (PIN) is often required. The OTP is time-based and must be used before it expires. These OTPs can be used to access protected resources.

Supported hardware authenticators and software authenticators can be assigned and managed in AM. SecurID 700 hardware authenticators can be assigned and managed in CAS.

ServerDescription
AM

Hardware and software authenticators that are managed and validated in AM can be used to access resources protected by AM or CAS (with integration).

Use the Security Console to manage these authenticators.

Note:  SecurID OTPs that are managed in Authentication Manager can be used for primary authentication to access My Page, or to access the resources protected by the CAS in Relying Party (Service Provider) deployments. SecurID OTPs can also be used for primary authentication with the SecurID Authentication API, including some RSA products, and custom implementations that use the API.

See SecurID Tokens.

CASIf your company does not have AM, you can use the Cloud Administration Console to deploy SecurID 700 hardware authenticators to users to access resources protected by CAS. These authenticators are validated by CAS. See RSA Hardware Authenticators .

Using SecurID 700 Hardware Authenticators for Offline Authentication

SecurID 700 hardware authenticators that are managed in the Cloud Administration Console can be used for offline authentication if your company deploys software for MFA Agent for Microsoft Windows version 2.1.1 or later or MFA Agent for macOS version 1.3 or later to users' computers. Users must complete this process to enable offline authentication:

  1. User registers or activates the SecurID 700 hardware authenticator with CAS and sets a PIN.

  2. User successfully uses the authenticator for online authentication. (The user's computer can access the internet or company network.)

  3. The MFA Agent downloads day files to the user's computer. The default is 15 files but this number can be configured on the Agent. These files contain the necessary information for offline authentication.

  4. User can now authenticate offline, using the same PIN plus OTP, without access to the internet or company network.

The authentication methods available for offline authentication depend on which authentication method the user last competed successfully while online. For example, if the user last completed authentication with SecurID 700 hardware authenticator, then that method will be available offline. If the user last completed authentication with a method other than SecurID 700 hardware authenticator, then Authenticate OTP will be available offline.

SMS OTP

SMS OTP is a six-digit code that RSA sends to the user's phone in an SMS message when the user attempts to access an application. The OTP, which is verified by CAS, is time-based and must be used before it expires three minutes after it is sent to the user. If it expires or the user does not receive it, the user can click Resend OTP. This method does not require device registration using the RSA Authenticator App.

When planning your available authentication methods, consider making SMS OTP available for emergency access when the user cannot use other methods, for example, when users cannot have any Authenticators registered or lost their registered Authenticators.

Users can use SMS OTP if these criteria are met:

  • You purchased the optional required service from RSA.

  • Users' required identity source information is synchronized with CAS (similar to other authentication methods).

  • A valid mobile phone number is stored for the user in CAS. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

For details on how SMS phone numbers are handled during identity source synchronization, see the "Phone Number Synchronization for SMS and Voice OTPs" section in Identity Sources for Cloud Access Service.

Voice OTP

Voice OTP is a six-digit code that RSA provides by calling the user's phone when the user attempts to access an application. The OTP, which is verified by CAS, is time-based and must be used before it expires three minutes after it is sent to the user. If it expires or the user does not receive it, the user can click Resend OTP. This method does not require a mobile device.

When planning your available authentication methods, consider making Voice OTP available for emergency access when the user cannot use other methods, for example, when users cannot have any Authenticators registered or lost their registered Authenticators.

Users can use Voice OTP if these criteria are met:

  • You purchased the optional required service from RSA.

  • Users' required identity source information is synchronized with CAS (similar to other authentication methods).

  • A valid phone number (landline or mobile) is stored for the user in CAS. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

For details on how Voice OTP phone numbers are handled during identity source synchronization, see the "Phone Number Synchronization for SMS and Voice OTPs" section in Identity Sources for Cloud Access Service.

Emergency Access Code

Emergency Access Code is for users who forgot or misplaced their registered authenticators.

If the Enable offline Emergency Access Code option on the My Account > Company Settings > Sessions & Authentication section is enabled and if the users have downloaded the offline files, then a 12-character alphanumeric code is generated for both online and offline use.

If the Enable offline Emergency Access Code option on the My Account > Company Settings > Sessions & Authentication section is not enabled or if the users have not downloaded the offline files, then an 8-character alphanumeric code is generated only for online use.

 

For detailed information, see:

Emergency Access Code for Online Access

 Description
When to Use Emergency Access Code for Online AccessIf the user is able to sign in to the company network without the registered authenticator, you can give the user an Emergency Access Code to access resources protected by CAS.
Configuration Prerequisites

For primary authentication, Emergency Access Code can be used as a replacement for the FIDO authentication method in relying parties. You select a box to allow this replacement when configuring primary authentication for the relying party. See Add a Service Provider.

Similar to other RSA additional authentication methods, Emergency Access Code must be configured and published in your assurance levels and access policies before it can be used for online additional authentication.

Note:  RSA recommends that you avoid adding Emergency Access Code to the High assurance level. Doing so will make Emergency Access Code available to your most sensitive applications.

User Experience for Online Access

  1. The user calls the Help Desk.

  2. The Help Desk Administrator finds the user on the Users > Management page in the Cloud Administration Console and generates an Emergency Access Code. Emergency Access Codes can be configured for either single or multiple uses. If a code is generated for one-time use, it will expire immediately after a successful sign-in. Otherwise, the code remains valid until it expires. You can set the expiration time from 1 minute to 7 days.

    Additionally, Super Administrators can set the default for Online Emergency Access Codes to single use for all users by enabling the Online Emergency Access One-Time Use setting, available under My Account > Company Settings > Sessions & Authentication. However, Help Desk Administrators can override this setting on the User Management page.

    If offline Emergency Access Code is enabled for your company, the same OTP is generated for online and offline access.

  3. The Help Desk Administrator securely delivers the OTP to the user immediately and instructs the user to select Emergency Access Code from the list of available options during the next authentication.

  4. The next time the user is online and attempts to access the protected resource, the user selects Emergency Access Code and then enters the OTP.

    If a user types the OTP incorrectly, the number of allowed retries is configured in the Cloud Administration Console on the My Account > Company Settings > Session & Authentication page.

Lifetime for Online Access

After a user selects Emergency Access Code one time during authentication, Emergency Access Code becomes the user's default method until one of the following events occurs:

  • The OTP expires either immediately after use or when the set expiry duration is reached. You can set the expiration duration, ranging from 1 minute to 7 days, on the Users > Management page. For instructions, see the "Provide an Emergency Access Code to a User" section in Manage Users for Cloud Access Service .

  • An administrator disables the OTP on the Users > Management page.

  • The user selects a different option during authentication, and that option becomes the new default.

Generate or disable Emergency Access Code for a user

See Manage Users for Cloud Access Service .

Emergency Access Code for Offline Access

 Description
When to Use Emergency Access Code for Offline Access A user can use Emergency Access Code to sign into a computer that is protected by specific RSA MFA Agents, even if the computer has no internet connection. If the computer has an internet connection, the same OTP can be used to access resources protected by CAS.
Configuration Prerequisites 

Your deployment must meet these configuration requirements:

User Experience for Offline Access

  1. The user calls the Help Desk.

  2. The Help Desk Administrator finds the user on the Users > Management page in the Cloud Administration Console and generates an Emergency Access Code.

    The same OTP is generated for online and offline access.

  3. The Help Desk Administrator securely delivers the OTP to the user immediately.

  4. The next time the user attempts to sign in to his or her Windows computer, the MFA Agent prompts the user to sign in and enter the Emergency Access Code.

Lifetime for Offline Access

The Emergency Access Code is created and downloaded to the user’s computer the first time the user successfully authenticates online through the MFA Agent to CAS. The OTP becomes invalid after one of the following events occur:

  • The configured lifetime (1-30 days) has elapsed. You configure this setting on the My Account > Company Settings > Session & Authentication page. For instructions, see Configure Session and Authentication Method Settings.

  • The user has successfully authenticated, through the MFA Agent, using a method other than Emergency Access Code, to CAS. A new OTP is downloaded to replace the old one, beginning a new lifetime cycle.

The online expiration date may elapse before the offline expiration date. If this occurs and the user still needs online emergency access, you can regenerate the OTP and give it a new online expiration date. The offline expiration date remains valid and unchanged from the first time it is generated until it expires or until the user successfully authenticates with a different method. Also, the Emergency Access Code itself remains exactly the same if you click Generate Code, even multiple times, before the offline expiration date is reached.

Generate or disable Emergency Access Code for a user

See Manage Users for Cloud Access Service .

OATH OTP

Administrators can assign OATH HOTP hardware authenticators to CAS users and manage authenticators in the Cloud Administration Console. The OATH HOTP OTP authentication is a two-factor authentication, where users enter a PIN (something the user knows) plus an OTP generated by the authenticator (something the user has).

Users can access and manage their OATH HOTP authenticators via My Page.

For more information, see OATH HOTP Hardware Authenticators .

Don't see what you're looking for?