With RSA SecurID Multi-Factor Authentication (MFA), do users have to do it for every sign-in? Is there an option like "skip MFA for today" after the first successful MFA sign-in?
Grant Du - would need to know a bit more about your particular use-case to give an accurate answer.
Can you identify which SecurID components you are using and what types of application(s) you may want to protect?
For example, the RSA SecurID Access Cloud Authentication Service provides single sign on to 3rd party applications. Which authentication methods are available are dependent on policy you set. How long before you would need to re-authenticate can be controlled by session timeout configuration. Within an SSO session you may not need to re-authenticate to other applications because you have already met whatever policy they are controlled by.
Or you might not have to explicitly authenticate at all due to an identity confidence calculation.
Hope that helps and please provide any additional scenario info if I'm not answering your question.
Thanks for your comments. We currently leverage instances of RSA ARCHER HOSTED (US), and already enabled SSO for our corporate users. We are considering to set up MFA with RSA SecurID for non-corporate users (who don't have access to our SSO).
So, from user experience perspective, we are wondering if these non-corporate users have to do MFA with each sign-in (assuming session will time out after x minutes), or there are options to skip it after the first successful MFA sign-in.
Grant Du From a security perspective it is not secure to bypass the security measurements in place If the session timed out, therefore the user would need to authenticate again
You're asking about risk-based authentication, software that evaluates the situation, e.g. is this user coming from their normal IP address or from an IP address somewhere else? This is probably the simplest example of what a risk assessment engine does, then you would configure policies that might allow a known user from his known device* authenticate with just a password, or maybe a click to approve from their cell phone, while users coming from a foreign country or from a device that does not look like their usual device, then the policy might require 2FA or MFA.
* Known device can get pretty complex to include not just IP but OS and java versions, what applications are installed, etc...all under NDA, or more likely, all secret so that no help is provided to the bad actors trying to compromise your protested resources.
Thanks for all your comments. Really appreciate it.
Retrieving data ...