Action Required for Upcoming Identity Router and RSA SecurID Authenticate App Security Improvements

Document created by RSA Product Team Employee on Aug 26, 2020Last modified by RSA Product Team Employee on Sep 16, 2020
Version 10Show Document
  • View in full screen mode
Summary:

To strengthen the overall security of RSA SecurID Access, RSA is rolling out significant improvements that affect all identity routers and the RSA SecurID Authenticate app (iOS and Android). Changes include:

  • Improving the strength of our database encryption by using Federal Information Processing Standards (FIPS)-supported algorithms in the Cloud Authentication Service.
  • Forcing the use of Transport Layer Security (TLS) 1.2 or greater encryption for all communication from the identity routers to the Cloud Authentication Service.
  • Identity routers upgraded to SUSE Linux Enterprise Server (SLES) version 12 SP5 hardened to Security Technical Implementation Guide (STIG) standards.

To ensure uninterrupted service and avoid downtime, you must take action by the following dates.

 

Event & ActionBegin ActionEnd Action

After RSA migrates database data to FIPS-supported algorithms, the Cloud Administration Console will display a Changes Pending message. Please ignore this message as a publish is not required. This status will disappear after your next regular publish.

No customer action needed.
EMEA and ANZ regions: 8/29/2020
US region: 9/12/2020
The RSA SecurID Authenticate app version 2.x will no longer work for iOS or Android. Users must upgrade to the latest version in order to authenticate. See the advisory for details.ImmediatelyOctober 12, 2020

You must update all identity routers to the August release (version 2.10.0.0.5 or higher for on-premises identity routers and RSA_Identity_Router 2.10.0.0.6 or higher for Amazon Cloud) before the last identity router upgrade date (October 31, 2020). After October 31, RSA SecurID Access will enforce TLS1.2 for all connections. Versions of TLS earlier than 1.2 will no longer work. To ensure uninterrupted connectivity, make sure your identity routers are running the latest software version (12.10.0.8) prior to October 31. For instructions, see Update Identity Router Software for a Cluster.
If you are using a proxy server you must ensure it also support TLS 1.2 and later.

Follow your normal upgrade schedule.

October 31, 2020
EOPS Policy:RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Attachments

    Outcomes