Skip navigation
All Places > Products > RSA SecurID Access > Blog
1 2 3 Previous Next

RSA SecurID Access

132 posts

We understand the challenges of our customers in the federal and public sector space who are making strategic investments to securely manage their IT infrastructure and planning to migrate to the cloud. While the scope of various regulatory frameworks (FedRAMP, FISMA, DISA STIGs) may or may not  be relevant to your organization, the benefit of “Do once, apply many times” goes beyond any specific compliance. Commercial customers gain a lot from the IT vendors who comply with the security standards and best practices, as this also increases the trust of your customers. With the additional insights and transparency, enterprises can improve the information security strategy of their overall IT programs.

RSA continues to reduce your compliance burden by always staying on top of the security best practices. Our continuous platform upgrades and improvements ensure customers are kept safe from security holes and vulnerabilities. With the latest release of Cloud, Mobile and Identity Router, we are excited to bring these updates that are layered across RSA SecurID Access to provide outstanding protection for your data and information.


FIPS 140-2 Update - Why Is It Important?

We are living in the era of zettabytes, where the data is growing at a mind-boggling rate. Given the proliferation of digital data, protecting data from being exposed to potential attacks is crucial. This requires the continuous update of cryptographic modules. Federal Information Processing Standard (FIPS) 140-2 standardizes the cryptographic requirements to manage data at rest (storage), as well as data in motion (transmission).

FIPS 140-2 plays an important role outside government as well. For example, healthcare organizations have a mandatory requirement of using FIPS-validated MFA for EPCS (Electronic Prescription of Controlled Substances) systems. The military uses it to be compliant with DFARS (Defense Federal Acquisition Regulation Supplement) to protect data at rest. It is also critical for fintech organizations to leverage reliable and standard cryptographic-based tools and systems.

RSA SecurID Access continues to leverage FIPS 140-2 validated cryptography modules to constantly align our various components - Cloud Authentication Service, Identity Router and RSA SecurID Authenticate app (Android, iOS and Windows) to achieve compliance on any given day. So you can march confidently towards meeting your compliance needs where FIPS 140-2 compliance is a non-negotiable item.


Identity Router Release - What’s Special About It?

We continue to make investments in building the most secure identity infrastructure so that we have your complete trust in enabling your business. Be it getting rid of outdated operating systems, upgrading the crypto libraries (as part our comprehensive security regimes) or making configuration changes to be compliant with the latest guidelines that created buzz yesterday, we want to have it all covered. To achieve this goal, regular upgrade cycles are necessary. With the release of Identity Router, we are excited that our customers will benefit from these additional security enhancements including those with the compliance mandates.

  •  A layer of defense: By adhering to Security Technical Implementation Guide (STIG), November release of Identity Router image adds yet another layer to meet the compliance requirements elicited by DISAthe Defense Information System Agency, part of the US Department of Defense (DoD). This ensures the operating system, network infrastructure and other computing systems are hardened to operate in the federal infrastructure.
  • Beyond Compliance: Following security benchmarks, whether you are in federal government or not, helps in maintaining the overall security posture of your IT infrastructure. STIGs play a critical role in ensuring the systems are configured as securely as possible (rather than going by the “default settings”) to prevent them from being an easy target for cyber attacks. Security vulnerabilities can be costly and frustrating for commercial organizations as well.
  • Keeping CurrentRunning an outdated operating system or application software in production is like a ticking time bomb. These could put your network infrastructure and business at risk even before the auditors raise them as red flags. With the SLES 12 SP5 upgrade, we want to ensure our customers are always on the latest and greatest of the software and keep your IT teams and auditors happy.


Other Updates

Admin Console - Security Beyond MFA

To further tighten the security, the administrator console of RSA SecurID Access Cloud Authentication Service now has additional access control measures baked in as part of the account and access management. These additional controls enforce stricter policies such as - session lockout interval, unsuccessful login attempts and password complexity as part of authentication. With the risk of cyber attacks, any such additional measures to prevent hackers gaining access to critical resources and accounts goes a long way.


Usage Reporting - The More Data The Merrier

Usage reporting of Cloud Authentication Service is enhanced to include additional usage metric data Active Users. If you are an administrator, you probably know the existing usage metrics that are made available through our Cloud Administration Retrieve License Usage API.  The existing usage reports already show MFA licenses count, users with FIDO authenticator and SMS/Voice data; the new report metric shows the number of unique users successfully authenticated by Cloud Authentication Service for MFA. Besides addressing compliance needs, this report will also come in handy for planning for the future.  You can use this data for effective budgeting and capacity planning as part of your MFA deployment strategy.  


To learn about additional November 2020 updates, see November Release Notes. 


Flexible Access Policy Assignment to Reduce Administrative Overhead

Some applications, such as SSO applications, may need to invoke a specific authentication policy in RSA SecurID Access based on a condition (for example, the user group and/or resource being accessed). SAML-based applications can use the AuthnContext SAML attribute to do just this. But some SSO platforms do not have this support and pose a challenge in complex customer environments. To overcome this limitation, we provide the flexibility to invoke a specific authentication policy based on specific conditions. As part of the SAML connector configuration, administrators can customize the Entity ID of an identity provider by adding a discriminator unique to a SAML-based service provider (SP). This enables you to use different access policies for different SAML-based applications to improve security and flexibility. To learn about additional features in September 2020, see September Release Notes. 


Authenticate to the Cloud Administration Console through a Third-Party Identity Provider

You can now securely sign into the Cloud Administration Console through federation by extending  your identity provider (IdP). This is useful in general but specifically becomes very handy for federal administrators who use  a common access card (CAC) and personal identity verification (PIV) and can continue to use their third-party IdP infrastructure to perform a federated sign-in to the Cloud Administration Console. We encourage you to test this feature in a development environment to make sure everything works before moving into production. To learn about additional features in September 2020, see September Release Notes. 

Stormshield network security is a strong UTM help customer protect infrastructures. This firewall offers ipsec and SSL VPN for end user.

In this blog i show you how integrate Stormshield with IDR to protect user remote access.


Let's go 


Stormshield supports radius for integration with Authentication manager or Identity Router. 



Stomshield  configuration


At Stormshield level you need to configure the radius server (your IDR or AM) and your share secret.



Define radius at anthentication policy



IDR Configuration 

At CAS i define my radius client 


And ask to the cloud to validate only the policy. Because of timeout issue at Stormshield level i can used only RSA Securid Authenticate app authenticate Tokencode.


For security purpose add a PIN or Device Biometrics to view the Authenticate Tokencode at CAS level.



After this push your policies and you are ready to authenticate.



At password unlock your RSA Securid Authenticate app and enter the tokencode to access the VPN 






1 - In the integration with Authentication Manager, Stormshield not support PIN Creation, we need to used self service console to initate the PIN or used another protected ressource (laptop with RSA agent for window for example).


2 - If you want to used VPN client is better to use Openvpn client inside of Stormshield VPN client, Stormshield vpn client sends 2 times the same authentication request is like replay attack at AM/IDR side.


3 -  Timeout issue:  at the time i write this blog there are no way to modify Stormshield timeout radius  in UI or CLI.


In today’s ever-changing world, enterprises are striving to deploy the right identity management strategy that fits their current environment and future needs. Businesses with the traditional physical-office-only setup, have had to adapt and flex new muscles to enable remote access for their employees.


As the businesses shift the operations from office to home, remote working does come with its risks. Unprotected endpoints through which the workforce accesses the corporate network become easy targets. These laptops contain the organization’s sensitive data. Protecting these corporate endpoints and workstations with stronger multi-factor authentication is no longer a choice, it’s a necessity.


The timing couldn’t have been better for launching the latest RSA SecurID Access innovations, including RSA MFA Agent 2.0.1 or Microsoft Windows, considering the need to rapidly enable remote access to dynamic workforce leveraging the RSA Cloud Authentication Service. MFA Agent 2.0.1, built on a modern and secure interface, provides a seamless and consistent Windows sign-in experience from ground-to-cloud.


The traditional RSA Authentication Agent 7.4 connects to RSA Authentication Manager to provide strong and highly reliable authentication services. MFA Agent 1.2 built on REST interface, enables modern authentication such as push to approve and device biometrics leveraging RSA Cloud Authentication Service.

MFA Agent 2.0.1 merges the best of two worlds. It is a universal Agent leveraging RSA Authentication Manager 8.5 and the RSA Cloud Authentication Service to provide strong multi-factor authentication to users signing into Windows, both online and offline.


Boost Remote Productivity and Experience – With No Fail-Open

Enabling secure remote access is the top concern for organizations. Seamless and consistent authentication experience is no longer a second priority. When users are challenged for multi-factor authentication, they do not care if they are connected to an on-premises data center or cloud. They want convenience and consistency whether they are online or offline. With “no fail-open” offline authentication mechanisms, RSA ensures users are fully authenticated with strong multi-factor authentication even if they are offline. In addition to providing various options for online and offline authentication, MFA Agent 2.0.1 takes care of emergencies too. Users with lost or stolen authenticators or no network connectivity can now log on to Windows machines using Emergency Access codes without causing any disruptions.


More Power to Administrators - Dynamic workforce just got even more dynamic

The year 2020 saw a sharp increase in remote workers - comprising permanent employees, temporary workers, and third-party partners. In addition to provisioning remote access, you need to ensure the right authentication methods are enforced to the right people with the right assurance levels. Through the admin console, you can manage every user’s authentication requirements – from traditional hardware tokens to device biometrics. MFA 2.0.1 also offers administrators a slew of controls to tailor the authentication experience to meet their business needs. Policies are at your disposal to customize the settings such as - load balancing and failover mechanisms, user access with challenge groups, and password order changes. These additional controls not only empower the administrators but also provide greater flexibility.


Accelerate the journey to the cloud – Change doesn’t always have to be scary

Organizations are looking to modernize the authentication experience and migrate to the cloud. But are apprehensive about the possible disruptions it could cause to their current set-up. In that light, here are some key features to help you with this preparation. 

Connecting on-premises to the cloud: The proxy and high availability features of Authentication Manager 8.5 ensures the dynamic workforce is secured 24x7. If the cloud service becomes unavailable the RSA Authentication Manager takes over authentication requests. This hybrid approach ensures users are “always-on” and work as securely, reliably, and productively as those on the network.

Co-existence of Agents: Co-existence of traditional and MFA Agents allows you to take a phased approach. Break down the large deployment into smaller launch plans targeting the sub-population to leverage Cloud Authentication Service.

Migration & Upgrade Paths: For a smooth migration from the Authentication Agent 7.4 or later versions,  you can use the migration utility packaged with the installer. This ensures the policy settings are migrated automatically to the new policy templates.  Customers who are on MFA Agent 1.1 or later version can directly upgrade to MFA 2.0.1.


To learn more about the features see release notes.

During these days of remote work, have you found yourself with a bit of bonus time that used to be consumed with a daily commute? Why not seize this opportunity to hone your skills and add your newfound knowledge to the benefit of all?


RSA University is pleased to bring to you an all-new training lineup for RSA SecurID Access! Our updated curriculum has been designed to help you quickly get up to speed, based on your role and how you use the product(s).


Following the RS SecurID Access product strategy, we’ve combined a number of courses into a 2-part instructor-led series that will get you the need-to-know in an efficient manner. In addition, we have a brand new On-Demand Lab that’s ideal for longtime SID admins to explore and experience the latest features RSA SecurID has to offer. Take a look at the newest courses listed below!



Benefits of Training
  • RSA SecurID Access I – Administration: This 4-day training course is designed for the individual responsible for administering RSA SecurID Access – both in the cloud as well as with the traditional, on-premises Authentication Manager. Here, you’ll learn about all of the features included and have plenty of hands-on experience working with labs. Help Desks and IT Administrators are being asked to do more and more to help support an expanded remote workforce and this course is perfect for experiencing the latest technology, refreshing your expertise, or getting new members up to speed quickly. This course is also available in our self-paced, On-Demand Classroom modality.
    • Upcoming Live/Virtual Course Dates: August 31-Sept 3 (US), Sept 20-24 (Singapore), Nov 9-12 (US)

  • RSA SecurID Access II – Infrastructure Administration and Tuning: This 4-day training course is designed for the implementors of RSA SecurID Access and Authentication Manager. As with the previous course, this is also available in our self-paced, On-Demand Classroom modality. System Engineers and similar technologists appreciate the ground-level-up understanding they gain from this course and are well prepared to expand an existing system or react quickly in disaster recovery.
    • Upcoming Live/Virtual Course Dates: Aug 17-20 (US), Sept 14-17 (EMEA), Oct 9-22 (US)

  • RSA SecurID Access Self-Guided Exploration Lab: This BRAND NEW On-Demand Lab course gives you a great overview of what the lab environment includes and a lab guide that will guide you through a number of exercises intended to get your feet just wet enough so you feel comfortable jumping into the pool. Designed for current admins, this course is a great option for RSA SecurID admins who are interested in leveling up their skills, in seeing the latest features, and in practicing with features they might not currently be taking advantage of in their own environment.


For a full listing of all of our courses, kindly refer to our training page at: 



Some commonly asked questions:


Q: I/we only have the on-premises version of Authentication Manager (AM). Would I benefit at all from taking the full SecurID Access series?


A: Absolutely. In terms of licensing, where the Base edition used to be only AM, traditional agents and tokens, basic cloud functions are now supported. (MFA Authenticate App, protected access to cloud applications, and “SSO Agent” portal.) If you’re thinking only about Authentication Manager at the Base level, you may be missing out on a number of features that RSA is now including. Our SID Access classes cover all of these other capabilities. (An interesting factoid: About 80% of our customers only use about 30% of available product functionality!) These classes apply to options our customers can offer their end users and to partners for providing more options to their clients.


Q: What version(s) do these new courses reference?


A: At the time of this writing, our lab environments for RSA SecurID Access are on the June 2020 Release. RSA Authentication Manager is currently on 8.4 patch 4, MFA Agent for Windows is v1.0, and MFA Agent for macOS is v1.0 - macOS is something we discuss about in the courses but do not include within our lab environments.


Have questions about which training is right for you or your team? Reach out to me at - I'd be delighted to hear from you! 

As we all are transitioning to embrace the new normal and support the remote workforce, there is an unprecedented need to keep the endpoints secure without compromising convenience. It is critical that we take steps to enable the dynamic workforce to access resources by providing a frictionless and seamless experience. We are excited to provide updates as part of June, 2020 Release that perfectly align with this objective.



RSA® MFA Agent for macOS® 


Endpoint security is a major concern for CSO and IT managers. Given the pandemic situation, there is a significant increase in the number of end-user devices (especially through laptops and desktops) trying to access the corporate network remotely, along with a corresponding increase in the number of hackers trying to compromise. With RSA® MFA Agent for macOS®, organizations can protect and ensure secure logins to the macOS® laptops and workstations. RSA® MFA Agent for macOS® works with RSA SecurID Access Cloud Authentication Service to require users to provide additional authentication to sign into macOS® consoles, whether they are online or offline. 


Today’s enterprises understand and acknowledge the need to manage identities in a dynamic fashion given their dynamic environment and dynamic workforce. Although strong authentication is top of mind, convenience and user experience are no longer a secondary priority. Defying the “more-is-more" approach, customers and users want to manage minimum set of authenticators for an efficient and seamless experience across use cases.  


Above statement being our preamble of the RSA® MFA Agent for macOS®,  authentication options available to end-users are  Push to Approve, RSA SecurID Authenticate Tokencode and RSA SecurID Tokens when things are all fine.
The Agent falls back to Authenticate Tokencode when users are offline and offers Emergency Tokencode option when they have no access to authenticators. With RSA SecurID Access, users are always connected securely. 


By protecting the macOS machines not just during user logins but also during screen unlocks and with the no-fail-open design, RSA ensures there is no “slip through the cracks” situation even when the Agent is unreachable to the Cloud Authentication Service.


To know more and watch the the MFA Agent in action, 

Cake for All! Secure & Convenient Login for The New Enterprise for macOS®  

Watch RSA® MFA Agent for macOS® In Action


View and Track License Usage Information  


Understanding the product usage is an important factor for planning and forecasting future license upgrades. Customers can view their current usage of MFA on RSA SecurID Access and Authenticators registered for the service. Administrators can access the following information to determine:

  • Number of users with Multi-factor authentication (MFA) licenses 
  • Number of users with third-party FIDO authenticators
  • Number of SMS/Voice Tokencodes consumed 


This data is refreshed automatically every hour to ensure that administrators have visibility to the most recent information.


Get More Out of Enterprise and Premium Editions of RSA SecurID Access with the Third Party FIDO Authenticators 


We all know how effective FIDO is when it comes to thwarting phishing and man-in-the-middle attacks. FIDO Alliance promotes and supports the stronger authentication standards that help reduce the over-reliance on the passwords. So is RSA!  


In December 2019, RSA partnered with Yubico® to address the needs of a dynamic workforce and provide modern and frictionless authentication experience with the FIDO authentication solution. With FIDO2 and RSA SecurID Access Authentication services, RSA customers enjoy the passwordless experience while accessing SaaS and web applications.  


Until recently, the customers had to purchase RSA SecurID MFA licenses to use FIDO/FIDO2 authenticators. With this change, we are removing the frictions for the enterprises to adopt and build stronger and more modern authentication strategies.  


FIDO Authentication Support  


While we are talking about extending the support for FIDO, why not talk about RSA SecurID Authentication API. RSA SecurID Authentication API, a REST-based programming interface that allows RSA customers and partners to leverage MFA capabilities for the custom-built applications.


In the June release, RSA SecurID Authentication API supports FIDO/FIDO2 as authentication method along with the existing MFA methods. To supplement FIDO as part of authentication, RSA SecurID Access supports managing the entire lifecycle too. RSA understands, for the organizations to begin using FIDO at scale, it requires more than just the authentication support for the protocol. At the initial login authentication attempt, users can enroll their FIDO authenticators or keys before using them as part of multi-factor authentication methods. By providing users with the ability to manage

the keys with self-service and in-line registration, RSA removes barriers for organizations and technology partners to adopt RSA SecurID Authentication support for FIDO.  



To learn about additional updates coming out in June 2020, see June Release Notes. 


Organizations today are reeling from decisions made at the start of the “New Normal”. These decisions were made during a rapidly deteriorating situation happening on a global scale, all in response to continually evolving mandates issued by different levels of government. Action on these decisions was swift, of the business simultaneously, and fundamentally changed how the business functioned on a day-to-day basis.


The New Normal results in a widely distributed Remote Workforce.

The Remote Workforce that must use the internet to access Corporate Resources.

Corporate Resources are accessed from the home office using All Available Machines.

The Machines that keeps the lines of business running in The New Enterprise.


As the “New Normal” begins to stabilize, organizations are starting to understand the impact of these changes. One such need is the ability of the remote workforce to securely log in to machines running macOS® and use them to access corporate resources. Prior to this, organizations had little appetite to secure these machines because their numbers were relatively small and easy to track and manage.


Today, these machines are used by the remote workforce in all parts of the world. They are connected to the internet using a variety of consumer grade networking equipment and broadband service providers. More importantly, there are no guarantees of physical access security to these machines. New problems are revealed as the lines of business continue to allow the use of macOS machines by the remote workforce. Solving them will require a New Enterprise Grade solution that can meet the needs of both users and administrators in the "New Enterprise".


Users need Convenient Login to macOS any time whether Online or Offline with No Fail-Open.

Administrators need Secure Login to macOS anytime whether Boot-Up or Wake-Up.


Announcing the Launch of RSA MFA Agent 1.0 for macOS


Today, RSA® proudly launches RSA MFA Agent 1.0 for macOS; an important step for a New Enterprise Grade endpoint protection solution. This agent is the culmination of many years of experience from securing Windows® and Linux® machines belonging to organizations of all sizes and verticals. You will discover that this agent fulfills the needs of both users and administrators while they adapt to the "New Enterprise". Additionally, you can learn how we do this for Windows and Linux machines in the “Eat More Cake!” blog and the Pluggable Authentication Module (PAM) announcement.     


Convenient Login Whether Online or Offline with "No Fail-Open"


Users want a quick and easy way to log in to macOS. Many users do not want to carry different devices all the time just to log in. They do not want to figure out if their macOS machines are connected to the internet just to log in with the right device. All they want is to carry one device and use one app to log in to their machines.


RSA MFA Agent for macOS lets users log in using a choice of Approve, Authenticate Tokencode, Emergency Access or RSA SecurID® Token that is convenient anytime the machine is online. Gone are the days when users get limited access to the machine when offline with our deliberate use of a "No Fail-Open" design. The agent automatically protects the offline machine using one of the most secure options, Authenticate Tokencode. Users can conveniently log in to their machines with this when offline, just as they do when online.


Secure Login Whether Boot-Up or Wake-Up


Users typically log in to their macOS machines at the log in or lock screen. Of these two places, users most frequently log in at the lock screen, because the machine automatically locks itself when the user has not interacted with it for a while. Examples of this include users stepping away for a short break or when moving to a new meeting room and reopening the laptop lid to use it. The log in screen by comparison happens only when the machine is turned on or restarted.  


Any secure desktop protection solution that uses a Fail-Open design without protecting the lock screen really takes the cake! Not only can someone gain access to the machine by figuratively pulling the network cable, they can stay logged in with just the username and password. Requiring users to login with Authenticate Tokencode using our innovative "No Fail-Open" design, preventing login bypass, at both log in and lock screens, even when the machine has no connectivity, is how we do it better.


Ending on a Sweet Note


As we enter the "New Enterprise" era, organizations are reevaluating their Identity and Access Management (IAM) solutions in use more than ever. They will not accept so-called "Enterprise Grade" solutions that favor convenience or security at the expense of the other while operating in the "New Enterprise". They want to have their cake and eat it too. With RSA SecurID Access, organizations can get a convenient and secure solution that is balanced, but getting one that is New Enterprise Grade is just icing on the cake.



An organization or lines of business within organizations should consider having an integrated authentication strategy and framework. An authentication solution should aid in advancing that framework in meeting specific identity and security objectives. Such organizations looking at free Microsoft Azure AD MFA or RSA SecurID Access need to use these critical elements when building or supporting such authentication framework. 


Protect applications beyond Windows-based and browser-based

Most organizations will continue to manage a hybrid IT model with non-windows applications and infrastructure existing in both cloud and on-premise. These infrastructure systems like switches, routers, VPN’s, server systems (*nix) need privileged access by super-admins. IAM teams need to think about how to securely enable 2FA/MFA for those privileged admins and end-users with a native integration that doesn’t compromise user experience. RSA SecurID Access provides an agent-based approach that can protect remote access infrastructure such as VPN’s, Citrix access gateway Windows Remote desktop sessions, critical server environments including Linux systems.


Support non standard protocol applications through a combination of technology ecosystem and an extensible API model

For legacy applications that do not support standard protocols (eg. SAML, RADIUS, OIDC) organizations need to think about extending MFA capabilities using an API approach or pre-built integration with technology vendors.  RSA Ready program helps organizations have an out of the box certified integrations with 500+ applications through 100+ technology vendor partnership. RSA SecurID Access can enable MFA to non-browser or non-SAML based applications through native integration with network vendors such as Palo-Alto Networks or provide out of the box MFA integration with electronic medical records applications such as Epic systems. RSA SecurID Access helps organizations to extend their deployment to meet enterprise grade requirements by exposing API/SDK for any custom integration.


Support dynamic workforce with authentication choices and a simplified experience across the entire MFA lifecycle including user onboarding

Supporting a broad range of user types and providing clear paths for those users to self-register any MFA method consistently as part of on-boarding is critical. RSA SecurID Access on-boarding experience through out of the box capability or extensible REST APIs helps organizations to create simplified user experience while on-boarding users all backed by a powerful policy engine. Besides on-boarding, a framework needs to handle what/if scenarios such as credential recovery and emergency access. What if users need a break glass approach to gain access to applications or self-service capabilities when their phones are misplaced or forgotten. What if contractors need 1-time code to access systems without the overhead of distributing tokens or using mobile phones. RSA SecurID Access provides options to help handle emergency situations and variety of user types and scenarios.


As discussed above any security sensitive organization looking to advance their authentication framework should consider appropriate critical elements.  IAM practitioners within those organizations need to contemplate whether having a free solution advances or restricts those elements in supporting diverse workforce access applications across their hybrid IT environment. 

As each lines of business (LOB) within an organization procure their own authentication solution the overhead costs of managing such solutions needs to be evaluated.  Does this island of point solutions drive additional process challenges and more disconnected authentication framework for an IAM team? Below are key discussion points to ponder before going down the path of implementing multiple authentication solutions


Reproducing & managing integrations & automation with multiple authentication platforms may prove costly

Organizations invest in the automation and integration of an authentication platform with existing security tools such as an SIEM platform, governance tools for collecting, reporting and regularly auditing of access events.  RSA SecurID Access enables those organizations to automate the process or workflow during on-boarding of users, distribution of MFA credentials and sharing of data for auditing needs. Replicating these integrations and automation across security systems using a second authentication platform may add additional cost and resourcing challenges.


Reflect on process challenges when considering multiple authentication platforms

Often rolling out or upgrading an MFA infrastructure requires a common buy-in across desktops, mobile, infrastructure, remote access and security teams. This required interaction creates process friction and overhead within some organizations.  Hence using native integration & out of the box capabilities provided by an authentication platform is critical in reducing such friction for IAM team’s success. RSA SecurID Access has such native integration capabilities through agent-based model, out-of-the-box integration with infrastructure vendors (eg. VPN, firewalls, virtualization platforms) and support for both hardware and virtual appliances. IAM teams should reflect on such process challenges and associated friction when adding yet another authentication solution in their toolbox to solve point use-cases.


Reduce user education and training costs and improve productivity through a single authentication platform

Educating and training users with two different authentication experiences provided through different solutions is a challenge when those users require the broadest set of authentication options to access applications. IAM teams considering two different authentication solutions as part of their tool set should consider looking at possible overhead of staffing and technical training of help desk team members in supporting those solutions. RSA SecurID Access helps build consistent end-user experience across the broadest set of applications and widest authentication choices that reduces the overhead of training and educating end-users. In addition, the IAM teams can improve overall help desk costs by choosing a single vendor that provides consistent experience in supporting users across a hybrid environment. 


Managing multiple authentication platforms doesn't end with technical, people or process challenges for IAM teams. The invisible costs extends to vendor management challenges, security teams managing vulnerabilities and fixing those gaps across multiple point products, and more. As an IAM practitioner one needs to evaluate and reflect on holistic value achieved through using one versus multiple authentication platforms that meets an organization's broadest set of security and identity needs. 

The word free has multiple meanings according to the Merriam-Webster dictionary. Among them are “not restricted”, “not costing”, “relieved from something burdensome”. When a solution is free or bundled with Enterprise License Agreements (ELA) and is used as key decision driver towards purchasing or rolling out Multi-Factor Authentication (MFA) the hidden costs are overlooked leading to return on investment challenges. An Identity and Access Management (IAM) influencer or a decision maker thinking about free Microsoft Azure AD MFA need to consider the following three criteria and associated questions while making such decisions.


  1. A consolidated authentication framework to support diverse user population, variety of infrastructure & applications while mitigating identity specific attacks. Do organizations feel restricted or advancing in developing a consolidated authentication framework using a free solution?
  2. Overhead costs related to people & processes from supporting multiple vendors and managing multiple authentication platforms. Does having multiple authentication vendors cost organizations more?
  3. An authentication platform that helps IAM teams meet different regulatory requirements while supporting strong security policies. Do free solutions burden IAM teams more when trying to address MFA requirements as part meeting their regulatory needs (eg. PCI-DSS, DFARS, EPCS) ?


If the answer is a resounding yes to the above questions the next series of blogs will provide guide paths and recommendations on how to address those questions effectively. These recommendations should enable organizations & IAM teams make an informed decision when considering RSA SecurID Access or free Microsoft Azure AD MFA for their authentication needs.


Organizations have been subjected to more regulations (eg. New PCI standards, CCPA etc.) than before and this creates additional burden for IAM teams to keep up with such regulatory requirements. An authentication platform should be able to help meet such regulations while helping meet security and privacy requirements. As an IAM practitioner one needs to consider the following guide paths when considering a free Microsoft Azure AD MFA or RSA SecurID Access or any authentication solution.


  • Regulatory requirements - A single platform that helps address organizations myriad regulatory MFA compliance requirements

Some regulations mandate strongest form of authenticators as per the NIST assurance levels (eg. AAL 2 and 3) for your workforce. An example is EPCS where strong proofing, 2FA and access logging are required for prescribing electronic prescriptions. RSA SecurID Access can enable such organizations with in-person proofing and secure distribution of 2FA tokens out of band. For organizations subjected to DFAR,  RSA SecurID Access can provide FIPS compliant solution to meet 2FA requirements. The PCI-DSS 2.0 regulations call for knowledge of success or failure of a factor is not provided to individuals until all factors have been submitted. RSA SecurID Access can support such requirements through multi-factor and multi-step process for network login into secure cardholder environment.


  • Unified visibility across cloud and on-premise (hybrid) infrastructure to help meet auditing needs

Auditors need visibility into which users had access to applications and systems on both cloud and on-premise infrastructure.  Specifically, they need data on users, applications accessed, level of authentication used to gain access to those systems. RSA SecurID Access enables such visibility into an organization’s access infrastructure through out of the box reporting and the ability to export such events to external systems for further reporting or analysis. With a hybrid IT model (on-premise and cloud applications), IAM teams will benefit from a platform that provides comprehensive view of all user access events across multiple applications types and user population.


  • Security teams – Reduce identity specific attacks with a powerful policy engine

Security policies need to support different assurance levels based on sensitivity of applications and user level risk. IAM teams need to manage policies centrally that helps in achieving such assurance levels through right level of authentication assurance.  RSA SecurID Access provides different assurance levels so that the right level of access controls are implemented. Organizations can use the behavioral analytics risk engine to determine user level risk against peer population based on application, device or location anomaly that can be used on day one.  

With a combination of powerful assurance level driven policy engine and behavioral risk capabilities security teams can be rest assured to mitigate identity threats and support their broader security goals.


  • Privacy requirements - A solution needs to understand and help with an organization’s privacy stature

Users have privacy concerns around security teams  installing apps on their mobile devices.  Some security policies mandate that no phones are allowed inside call-centers or data centers. An authentication solution should be flexible to accommodate such requirements. RSA SecurID Access can help  meet such requirements through a hardware OTP tokens or FIDO keys.  

Some organizations are subject to strict data residency requirements (eg. Europe) due to the countries that they operate in. RSA SecurID Access has data centers in local regions where data never leaves the respective regions borders to support data protection and privacy requirements.  


Evaluate whether a free MFA solution from Microsoft will help breeze through such regulations, security and privacy requirements. RSA SecurID Access can help untangle complexity and reduce burden for IAM teams by helping meet such regulatory requirements.

Better Together: SecurID Access with your SIEM Platform



Everyone wants better visibility into the behaviors (or misbehaviors) of their users. We are often asked by customers a simple question. What should we watch out for? 


The RSA SecurID® Access Cloud Authentication Service produces a large list of events for a variety of purposes. These are emitted from both the Cloud Service itself and the supporting Idenity Router virtual appliance clusters. These events are intended to be used for a variety of purposes, including:


  • Security and Event monitoring
  • System health
  • Supporting audit activities
  • Troubleshooting system or integration issues


These events fall under three major categories and severity levels: Administration, System and User events. 


To help you get started, we have collated a shortlist of events that may be of interest. We emphasised events that were related to security and critical health warnings. Be warned! This list does not encapsulate every possible event of interest for your deployment and is not intended as an exhaustive list specific to your organisation.


RSA recommends augmenting this guidance with your knowledgeable delivery partner or with  RSA Professional Services to help provide specific advice for YOUR organisation. 

Furthermore, when alerting on events related to the SecurID Cloud Risk Engine, this provides an additional dimension of visibility around suspicious behaviour. This is relevant even if your organisation does not use the risk engine to drive down the frequency of user challenge - even organisations that wish to challenge specific apps or users can gain the benefits of the risk engine as a monitoring tool for user and device behaviour.


Please consult the full list of Cloud Service Events here:

If you are a lucky customer that uses the RSA Netwitness Platform as your SIEM, consult the official documentation on how to connect it to the Cloud: 


If you have another SIEM platform, also consult the following document on how to pull Cloud Service Events into your SIEM via the Cloud Event API:


Cloud Administration Events

It is recommended that all administrative activity relating to SecurID Cloud Authentication Service be examined as this represents changes to a system that may have broad reaching consequences. A list of activities that should be monitored is presented in the following table.


Activity Key

Activity Code


 Suggested Action



Admin {0} sign-in failed

Repeated failures should be alerted upon



System locked admin {0} account




System unlocked admin {0} account




Admin {0} deleted access policy {1}




Admin {0} deleted identity router {1}




Admin {0} reset the identity router {1} password




Admin {0} deleted cluster {1}




Admin {0} deleted trusted location {1}




Admin {0} deleted all trusted locations




Admin {0} deleted trusted network {1}




Admin {0} deleted all trusted networks




Admin {0} deleted admin user {1}




Admin {0} deleted application {1}




Admin {0} deleted relying party {1}





Cloud System Events


System events trigger the following messages to appear in the System Event Monitor.


Event Code




Suggested Action



Identity Source Sync

Identity source synchronization not completed successfully.




Identity Source Sync

Users are missing one or more unique identifiers. Check the user attribute configurations in both the cloud identity source and the directory server.




Identity Router

Identity router cannot initiate contact with the Authentication Manager server.




Identity Router

Identity router cannot connect to Authentication Manager - Unknown error.




Identity Router

The identity router cannot connect to any configured identity sources.




Identity Router

The identity router cannot connect to some configured identity sources.




Identity Router

Some of the configured DNS servers are not working properly.




Identity Router

None of the configured DNS servers are working properly.




Identity Router

Identity router CPU usage exceeds the threshold limit.




Identity Router

Cluster is offline and not in quorum. No configured identity routers are online.




Identity Router

Identity router memory usage exceeds the threshold limit.




Cloud User Events


Event Code



Suggested Action



Authenticate Tokencode authentication failed - Invalid tokencode.

Alert on repeated attempts



Authenticate Tokencode authentication failed - Previously used tokencode detected.

Alert on repeated attempts



Identity router API tokencode authentication failed - Cloud Authentication Service unreachable.

Alert – IDR unable to reach cloud



Identity router API user status check - Identity source unreachable.

Alert – LDAP unavailable



LDAP password authentication failed - Cannot establish a trusted SSL/TLS connection with the LDAP directory server. Check for invalid certificate.

Alert – LDAP unavailable



LDAP password authentication failed - Sign-in failure: unknown username or invalid password.

Repeated failures should be alerted upon



LDAP password authentication failed - LDAP account locked out.

Alert – user locked out



Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact identity router.

Alert – IDR unavailable from Cloud



Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact directory server.

Alert – LDAP unavailable for sync



RSA SecurID user authentication failed - RSA SecurID service is not available.

Repeated failures - alert – Cloud service down?



Portal sign-in failed - Password reset required.

Alert  Possibly to alert helpdesk



Protected application authentication failed.

Repeated failures should be alerted upon



Additional authentication failed.

Repeated failures should be alerted upon



Additional authentication failed - User account disabled.

Alert  Possibly to alert helpdesk



Password authentication succeeded - Client does not support required additional authentication methods - Access denied.

Alert  Possibly to alert helpdesk



Unsuccessful password authentication – Access denied.

Repeated failures should be alerted upon



Password authentication succeeded - User prohibited by policy settings - Access denied.

Repeated failures should be alerted upon



Password authentication succeeded - Access prohibited by conditional policy settings - Access denied.

Repeated failures should be alerted upon



RSA MFA Agent for Microsoft Windows configuration not approved.

Alert  Possibly to alert helpdesk



RSA MFA Agent for Microsoft Windows unsuccessful configuration.

Alert  Possibly to alert helpdesk



SAML IdP - Error response sent.

If Authentication Details includes "Message was rejected due to issue instant expiration" or "Message was rejected because was issued in the future," then there might be a time-synchronization issue between the service provider and the Cloud Authentication Service. If you see this message during an additional authentication flow for an SSO Agent application, check the time on the identity router.




RADIUS - LDAP authentication succeeded - Policy contains no RADIUS-compatible methods for additional authentication - Access denied.




RADIUS - Cloud Authentication Service unreachable - Access denied.

Repeated failures - alert – Cloud service down?



RADIUS – Authentication failed.

Repeated failures should be alerted upon



Access denied – User not a member of any identity source in access policy.

Repeated failures should be alerted upon



Access denied – User does not match any rule sets or matches a deny rule set in access policy.

Repeated failures should be alerted upon



Access denied – Policy authentication conditions deny access.

Repeated failures should be alerted upon



SMS Tokencode message transmission attempt failed - Invalid phone number.

Alert  Possibly to alert helpdesk



Voice Tokencode call attempt failed - Invalid phone number.

Alert  Possibly to alert helpdesk



SMS Tokencode authentication method locked – User exceeded maximum tokencodes allowed.

Alert  Possibly to alert helpdesk



Voice Tokencode authentication method locked - User exceeded maximum tokencodes allowed.

Alert  Possibly to alert helpdesk



Evaluated identity confidence. See Condition Attributes for Access Policies - Reporting a User's Identity Confidence Score for details.

SEE BELOW. When the “Confidence” attribute is greater than the “Confidence Threshold” the risk is low, therefore do nothing. When the “Confidence” attribute is lower than the “Confidence Threshold” the risk is high and therefore alert.



Emergency Tokencode locked - User previously exceeded maximum attempts.

Alert  Possibly to alert helpdesk



Emergency Tokencode now locked.

Alert  Possibly to alert helpdesk




Evaluated Identity Confidence Event (Risk Engine)


As you can see from the log sample below, the parser must be configured to conditionally evaluate the value of the confidence attribute against the confidenceThreshold value. If confidence is lower than confidenceThreshold the risk is considered high and therefore an alert should be generated containing the named user identifier.



 Identity Router Events

Please consult the full list of events emanating from the Identity Router here:


User Audit Events


Suggested Action

User Audit Events contain no security or health events



Web Services Audit Events


Suggested Action

Web Service Audit Events contain no security or health events



System Audit Events


Suggested Action


An error occurred on the identity router.



The identity router rebooted.




IDR Status Events


Suggested Action

RSA recommends that all IDR system health events be monitored.

Consult the full list of events here, under the “Identity Router Status Events” table:



RADIUS Audit Events


Suggested Action


A user attempted RADIUS authentication, but RADIUS or the user's device does not support any of the authentication methods allowed by the access policy.

Alert – triage to IT or helpdesk


A user attempted RADIUS authentication using a method that requires a mobile device, but no device is registered for the user.

Alert – possibly helpdesk


The RADIUS service encountered an error.




The RSA SecurID Access team is excited to provide the following updates as part of the May, 2020 release.  


Emergency Access now available for FIDO protected resources 

Emergency access greatly enhances productivity by unblocking access to business critical resources when a user may have lost, misplaced or forgot their authentication device.  Emergency access codes may be used for a fixed period of time as determined by the issuing help desk administrator.

Many organizations are providing passwordless experience to their users to access SaaS/Web applications using FIDO2 as a primary authentication method.  In the May release, users who are using FIDO2 when configured for primary authentication, lose or misplace their security key, can obtain an Emergency Access Code (EAC) as authenticator to gain access to their critical resources protected by FIDO with no loss in productivity.  And they can logon to the RSA My Page Self Service Portal with their EAC to begin the process begin the process of enrolling to obtain a replacement FIDO Security Key.


Improved Security for Administrators Who Require Resetting Their Password

The password reset process for all administrators has been made more secure.  For existing administrators, to securely reset any Cloud Administration Console password, the password reset must be completed within two hours of requesting the password reset link. 


See the May Release Notes which provides complete details on these new capabilities and other miscellaneous updates coming out in the May 2020 release. 

As we all are going through some level of adaptation to the new normal the one thing that hasn’t changed is our continued commitment in rolling out capabilities to our RSA SecurID Access customers. We are excited to provide the following updates as part of the April 2020 release.  


Threat Aware Authentication (TAA) v2 - Improved flexibility to support different customer deployments

Our TAA v1 release (last year) supported limited deployment scenarios. The risky users were identified and exchanged based on email addresses. Customers wanted to have more flexibility in identifying and sharing of the user list.  We saw this customer enthusiasm and commitment in making TAA capability better.  


We have updated TAA (v2) to provide that flexibility in identifying risky users between RSA NetWitness and RSA SecurID Access. Now the identities within the risky user list can be in any prior agreed upon format between the two products.


RSA SecurID Access can identify the users using Primary Username or an Alternate. These attributes can be mapped to any underlying LDAP/AD attribute (e: samAccountName, userPrincipalName, UID etc). RSA NetWitness administrators can now configure which piece of meta-data they want to use to build and exchange the risky user list.


Extend the use of conditional access policy attributes to Enterprise Edition licensed customers

Many of our customers are already using the policy engine to make smart access decisions in protecting a variety of applications. We want to enable more customers in using our policy engine – the true power behind implementing security controls based on your organizational policies. The conditional access attributes used in defining policies helps in harnessing the power of that policy engine.


We are thrilled to announce that our Enterprise Edition licensed customers can start using those conditional access attributes NOW!  Those customers can enable policies to provide user access based on dynamic context driven attributes such as countries, trusted locations, trusted networks.  


Our premium edition customers are already unleashing the power of these conditional access policy attributes in their access decisions. 


Our goal is to enable everyone to make access decisions smarter!!


Enabling our customers to address their privacy concerns

Ability to turn off location collection

Some customers promote preserving user privacy as part of their organizational policy or to comply with regulations. We understand such policies and would like to support our customers in their privacy initiatives.  One such privacy related topics is around collecting user location.


Beginning in April release we are providing our customer administrators ability to fully control data collection for location. Enabling or disabling location collection is now within the power of customer administrators through the administration console. Those administrators can choose to turn off location collection for specific policy attributes such as trusted locations, country and Identity Confidence.


Providing visibility into device capabilities used in mobile apps

Some customers would like to have better visibility into how their end-user mobile device capabilities (eg. Camera, Wi-fi connections) are being used by RSA SecurID Software token and RSA SecurID Access Authenticate App. In April release we have enabled our customers with documentation highlighting details on

  1. The type of permissions required from those mobile devices
  2. Why we need those permissions and is it mandatory or optional


The primary goal is to educate our customers and their end-users with the right level of information so that any fear, uncertainty and doubt can be addressed when using the mobile apps


We continue to churn cool new capabilities every month. The April release notes provides complete details on other miscellaneous updates coming out in the April 2020 release. 

As depicted in the 2019 movie Ford v Ferrari, the sports car race 24 Hours of Le Mans is an endurance race that tests the durability of equipment and the will and stamina of participants. For many corporate IT teams, dealing with the sudden, almost overnight transition to an all remote workforce has been an endurance race with similar tests.


And in the frenzy of needing to rapidly ramp up remote access to an entire organization and the rush to get authenticators into people’s hands to win the initial leg of the race, the obvious fact that there will be downstream impacts to the stability and performance of your authentication system can easily be overlooked. After all, RSA Authentication Manager is a workhorse that often masks smaller upticks without a hitch.


However, as your remote user population explodes, peak authentication rates go through the roof, and associated administrative activities (exacerbated by “newbies” to multifactor authentication) ascend to all-time highs, it is possible for performance slowdowns -- and blinding panic -- to set in.


Your RSA SecurID solution, normally a rock of IT stability, is going sideways...  “The RSA is broken”...  What is happening?!?!?


Don't worry. Everything is going be alright after making the necessary adjustments.


It is important that you take a systematic approach to reviewing your RSA environment and evaluating key areas for “redlining” conditions that ultimately result in a poor user experience of one sort or another. These key areas include both underlying system resources as well as RSA configuration parameters.


Extensive RSA performance tuning guidance is available through documents posted under the “Optimize & Tune” section of the new RSA Remote Workforce Resource Center.


Over its 30+ year history, RSA SecurID Access has established itself as a proven winner, capable of standing up to the biggest challenges...  even while running at high RPMs.

With governments worldwide implementing various travel restrictions and guidelines for its citizens lately, organizations and their employees are learning to live with the New Normal: essential businesses, social distancing, remote learning, and work from home.


Organizations today are also learning to deal with the realities of operating in this new environment.


The Home Office is now The Office for employees

The Internet is now The Corporate Network for admins

The New Normal is now Business As Usual for Lines Of Businesses (LOBs)


LOBs have highlighted an urgent need for employees to conveniently and securely access critical resources from The Home Office, over The Internet, during The New Normal; as they develop business resiliency while simultaneously enabling a large remote workforce. In some cases, employees may require accessing these work resources from just about any machine that is made available to them at any given point in time.


Let us take a look at what is new with RSA SecurID Access in 2020 that organizations can use to achieve these goals. 


FIDO Authentication


Enterprise interest in FIDO as a secure and convenient authentication method for employees to utilize anywhere on any machine is increasingly growing; recognizing that it can provide a means to achieve this goal with devices that are portable and easy-to-use. As organizations begin incorporating FIDO as part of their Identity and Access Management (IAM) strategy, they turn to us as their premier Identity and Access Management (IAM) solution provider to offer not just any FIDO authentication solution, but an Enterprise Grade FIDO authentication solution. Below are some examples of how we do it better:


  • Certification of the RSA SecurID Access Cloud Authentication Service (CAS) as a FIDO2 Certified Server - January 2020
  • Verification of the integrity and authenticity of FIDO-certified security keys listed with the FIDO Alliance Metadata Service (MDS) - January 2020
  • Support for Windows Hello enabled devices and compatible Android phones as FIDO authenticators - February 2020
  • The release of the YubiKey for RSA SecurID Access - a hardware based FIDO authentication solution that provides superior defense against phishing, eliminates account takeovers, and reduces IT costs - March 2020
  • The release of RSA Security Key Utility, a Windows utility that can be deployed on users' WIndows machines to manage user verification for any FIDO2-certified security key - March 2020



RSA SecurID Authenticate Mobile App


Aside from the FIDO enhancements above, we have also continued to strengthen the security of our RSA SecurID Authenticate mobile app. With our app being installed on employee owned Bring-Your-Own-Devices (BYOD), IT admins are always concerned with the security and integrity of the underlying devices used to run the Authenticate app. With this in mind, some enhancements made to the Authenticate app to alleviate these concerns. These enhancements include:


  • Jailbreak Detection for the RSA SecurID Authenticate 3.2 for iOS - January 2020
  • Enhanced compliance checks for the RSA SecurID Authenticate 3.3 for Android. This ensures that the device is not rooted before allowing use of the app - March 2020


Our customers have relied on the RSA Authentication Manager (AM) server to reliably protect their mission critical infrastructure with RSA SecurID Tokens for many years. One notable enhancement made as part of Patch 9 in January 2020 is to allow users to authenticate to applications using biometrics available on their devices, such as Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. This feature is available if customers use the Security Console wizard to connect the AM to CAS. For instructions, see Connect RSA Authentication Manager to the Cloud Authentication Service.  


Easier Setup and Management


To make it easy for our CAS admins to setup and manage users, the following enhancements have been implemented:





Lastly, as a reminder to our customers using CAS, the IP addresses for CAS and the Cloud Administration Console will be changing soon. We recommend that customers make any necessary firewall changes to allow identity routers and user browsers to connect to these new IP addresses. To prevent service disruption, customers' network must be able to connect to both the existing and new IP addresses according to the table below:


RegionNew IP Addresses






As organizations continue adapting to the needs of a dynamic and growing remote workforce, they expect vendors to offer solutions that can keep up with them. We hope our customers will take advantage of enhancements announced above to provide employees with a convenient and secure way to access critical resources from The Home Office, over The Internet, during The New Normal with an Enterprise Grade IAM solution.  

Filter Blog

By date: By tag: