SecureID RSA, Multifactor Authentication

1
Dell Customer Communication -
RSA SECURID® ACCESS

2
W H AT I S A U T H E N T I C AT I
O N ?

Identification “This is Who I Am”
Authentication “This is My Claim to an Identity”
Authorization “This is What I Can Do”
3
3
Dell Customer Communication - Confidential
A C C E S S C O N T R
O L

• Proof of who you are
• Done during the on-boarding process
I D E N T I F I C AT I
O N
4
4

A U T H E N T I C AT I
O N
• A claim to identity
• The most commonly used authentication method in the online world is the
Password.
5
5

A U T H O R I Z AT I
O N
• Authorization deals with what you can do once you’ve been authenticated to a system
6
6

7
W H AT I S T W O - FA C T O R A U T H E N T I C AT
I O N ?
7

8
8
Two-Factor Authentication:
“The act of identifying an individual by using any combination of something they know,
something they have OR something they are.”
“Something you know” = PIN, password,
life question
“Something you have” = Token, Smartcard,
Trusted Device
“Something you are/do” = Biometrics
(fingerprint, retinal scan, etc)

9
9
Something you Know
Something you Have
AT M W I T H D R
AWA L

10
R S A S E C U R I D C O M P O
N E N T S

11
C O M P O N E N T S- AT A
G L A N C E
AUTHENTICATORS AGENTS Authentication Manager

12
Web
Server
DMZ Internal Network
Auth Mgr 8.x
(Primary)
Identity Source
R S A S E C U R I
D
External Network RSA
Web Tier
RBA
SSC
CT-KIP
Login: RGasparian
Passcode: 2468159759
PASSCODE = PIN + TOKENCODE
SSL-VPN
VPN

13
S E C U R I D C O M P O
N E N T S
Authenticator Agent SERVER
(Authentication Manager
Platforms & Architecture)

14
H A R D WA R E A U T H E N
T I C AT O R S O V E R V I E W
• Hardware Token: a physical device assigned to a specific user and generates a unique number at a specified
interval.
• Customer choice based on their requirements for:
— Function: OTP, hard disk encryption, transaction signing, etc.
• All of RSA’s tokens utilise the cryptographically strong AES algorithm for time synchronous authentication

15
H A R D WA R E A U T H E N T I C
AT O R
Username: JJONES
32848
Passcode: 2468 0
Token code:
changes every
60 seconds
PASSCODE =PIN + T
OKENCODE
http://searchsecurity.techtarget.com/definition/RSA

16
16
W H Y I S T I M E - S Y N C H R O N O U S A U T H E N T I
C AT I O N I M P O R TA N T ?
• Time-based OTP has precise clock that changes a password every 60 seconds
• Very hard to phish as OTP becomes invalid in one minute
• More secure than an event-based OTP where password does not expire until another
one is entered into the system.
• Trojan attacks must be in real-time to be able to compromise system
Same Seed
Same Algorithm
Same Time
Algorithm
Time
Seed
Algorithm
Time
Seed
159759
159759
Authentication
Manager

17
H A R D WA R E T O K E N
O P T I O N S
Quality Authenticators
Highest-quality authenticator-manufacturing processes,
which means fewer token failures in the field
Multi-Use Tokens
Multiple uses for these authenticators such
as hard-disk encryption, email signing,
and more
Customisable
Brand your organization and demonstrate your commitment
to security with custom artwork on your RSA tokens
e,
Time-Synchronous
An approach that combines tim
an algorithm and a unique
identifier to strengthen overall
cryptographic value
Warranty
Covers each RSA token for
the entire life of the device

18
S I D 7 0
0
Known as a ‘Key Fob’ token
Simply read the changing number on the display
Robust design, built to survive harshest conditions
▪ Rigorously tested to be the industry's highest
quality token
RSA’s most popular hardware token
EZ-View Display (SID700)

19
W H AT ’ SI N S I D E O F A H A R
D WA R E T O K E N
( S I D7 0 0
)
Coin cell 3V
Lithium ion
battery
Display
• Time crystal (clock)
• Microprocessor
• Microcontroller
• Epoxy filling
• Case
Creates a “tamper-evident” authentication device

20
A P L A N N E D L I F E
T I M E
1. Hardware tokens are built with an assigned life
2. Range from 24 mths up to 60 mths
(depends on token type and system software release)
3. The most commonly purchased token is the 36 month SID 700
4. A pre-expiring shelf life enables customers to budget and plan token rotations
5. In most cases, the expiration date is stamped on the back of the token

21
H O W W E D O I T B E T T E R – S I
D 7 0 0
Designed to Last
− Ultrasonic welded case
− Epoxy filled
− Beveled LCD display
− Anti-shock foam
• Rigorously Tested
– Over 20 tests performed;
including: High / Low Temperature
Temperature Cycling
High Humidity
Mechanical Shock & Vibration
Drop Test
Electrostatic Discharge (ESD)
Radiated Immunity (EMI)
Radiated Susceptibility
Radiated Emissions
X-ray
Altitude Testing
Accelerated Life Testing
Cert Testing: UL / FCC /
CE
• 40+ million actively in use
• 8 yrs in the marketplace
• Only 0.05% in field failures

22
S I D 8 0
0
 K n o w n as the ‘Hybrid Token’
 Se cur I D & PKI in a single multi-purpose authenticator
Supports one time password (OTP), digital certificate, and password credentials
— Auto login to Windows Domain or other applications
Maintains traditional anywhere, anytime access
— Read token code from display
Provides OTP auto-entry for ease of use
— No need to type in the OTP, just insert the device into the USB port
Provides support for file and full disk encryption
— Prevent data breach from stolen laptops

23
Digital Certs
SecurID OTP
Passwords
VPN/Wireless
File/Disk
Encryption
Email
Signing
Web/App
Auth
PC/Domain
Auth
Multiple Credentials…
Multiple Applications…
One Seamless End User Experience
S I D 8 0 0 :M U LT I - A U T H E N T I C AT O R
I N O N E

24
S I D 8 0 0 :C O M P O N E N T S I N P
L AY
• Display SID800 OTP
• No software seed record provisioning necessary, uses SID 800
• ADA compliance with JAWS screen reader
• Desktop API authenticator extends SID800 OTP access (Windows login, VPN login,
etc…)
Desktop
Authenticator
(Windows Only)
• RSA Authentication Client (RAC) aka “Middleware”
• Manage smartcard PIN, certificates and credentials
• Display SID 800 OTP
RAC
• Seed record on device
• Display OTP
• Smartcard in device
• Stores Digital Certificates
• Stores Password Credentials
SID 800

25
H O W W E D O I
T
B E T T E R -S I D 8 0
0
Insert token and enter PIN to…
▪ Authenticate to the PC/laptop
▪ Unlock an encrypted hard drive
▪ Establish a secure network connection to a VPN
or wireless access point
▪ Authenticate to the corporate domain
▪ Access secure applications and web sites
▪ Authenticate to remote PCs or terminal servers
▪ Encrypt sensitive documents and files
▪ Sign and encrypt emails
Remove the token to…
▪ Lock down or log off from the PC/laptop

26
S O F T WA R E A U T H E N T I C
AT O R S

27
T O D AY: A N Y U S E R , A N Y D E V I C E ,
A N Y W H E R E
Server
Applications
Cloud
Applications
Remote Managed
Device
BYOD
Inside the
Network
Network
VPN
Virtual Desktop
Mobile Apps
Web Browser
External and Temporary
Users
Unmanaged
Devices
Uncontrolled
Access Points
Information in Public Cloud and
Hosted Applications
Employees
Contractors
Partners
Customers

28
R S A S E C U R I D S O F T WA R E A U
T H E N T I C AT O R S
RSA SecurID Mobile SDK
Desktop Tokens
Mobile Phones and Tablets

29
R S A S O F T WA R E A U T H E N T I C
AT O R S
• Transforms devices your users
already own and carry into
SecurID tokens
• Reduces frequency of lost or
forgotten tokens
• Eliminates the “token
necklace”
problem
• Removes hurdle of end user
acceptance of two-factor
authentication
• Eliminates the need to inventory
additional tokens
• Simplifies deployment process
• Decreases support calls for lost
or forgotten tokens
• Lower TCO than hardware
tokens
• Leverages investment in existing
hardware
• Expand strong auth. to
applications accessed by
partners and customers
• Provides an easy and convenient
mass deployment option
• Enhances confidence to offer
more self-service options to
customers and partners.
Convenience Value Expansion

30
T W O C O M P O N E N T S O F A S O
F T WA R E T O K E N
OS-specific application downloaded from
RSA.com or app stores
Must be installed first on a user’s device
before provisioning occurs
Application/Token Container
+
Customer Token Record
(Seed Record)
• Purchased from RSA (SID 820)
• Provisioned by admin to the user’s
device

31
S O F T WA R E T O K E N D E P L O
Y M E N T O P T I O N S
SDTID
• File Based Token Delivery
• Devices must support email
attachment import
• Supported Form Factors
• Mobile Tokens
• Desktop Tokens
CTF String
• Text Based Token Delivery
• Generated by Token
Converter or AM 8.x
• Converts SDTID file into
compressed token format
(CTF) string
• Alternative to file
attachments
• Supports Android, iOS and
Windows Phone Mobile
Devices
CT-KIP
• Dynamically Provisioned
Tokens
• Requires CT-KIP Server
• Recommended Provisioning
Method
• Supported on AM 7.1 & 8.x
• Supported Devices include
Mobile and Desktop Tokens
QR Code
•CTF or CT-KIP encoded QR
Code
•Allows option to provision
without needing email
•QR Code generated via AM
8.1 SP1 SSC, AM Prime,
Token Converter, 3rd party
QR Code generator
•Supports Android & iOS
Devices
Basic Use Case Use only as
Required
Recommended

32
Out-of-Band Activation Code
via Secure Email Channel
SecurID Admin
Mobile Device User
• Secure “over-the-wire” provisioning
• No Token Record to Intercept
• Activation Code is only valid once
• Add Device Binding for Additional Security
Click CT-KIP URL with
Activation Code
CT-KIP Server CT-KIP URL to Mobile
Device
C T- K I P D Y N A M I C P
R O V I S I O N I N G

33
Q R C O D EP R O V I S I O N I
N G
• QR Code Provisioning of Software Tokens will
reduce provisioning time and costs by 80%
• Increase user self-service
• Eliminates “email” to End User Mobile
Device
• Eliminate help desk calls
• Streamline the provisioning process with
fewer, intuitive steps. Point & click.
• QR codes are becoming more accepted by
end users
• Software tokens are “QR Code Ready” (iOS and
Android)

34
R S A S E C U R I D S O F T WA R E T O
K E N S E C U R I T Y
• Server Side Attribute
• Validates the Mobile Device
• Token Record cannot be imported to another device
• Augment with OOB password to validate the user
Device Binding
• Client Side Security feature on import
• Device biometrics used to unlock the token database for each use
• Token will not function on a device without matching device biometrics
Copy Protection
•Software Token does not store the PIN in permanent memory
•The PIN cannot be brute forced
• Something you and your mobile device know is not two-factor
• The PIN does not unlock a valid passcode
Something you Know

35
R S A D E S K T O P T O
K E N S
Authenticator on the
D
e
s
k
t
o
p
 D e s k t o p Authenticator
 I E Toolbar (Win)

36
S D K :E N A B L I N G S T R O N G A U T H F O R
M O B I L E A P P S
RSA Mobile Authentication SDKs
Software Development Kit (SDK) for mobile apps
▪ Includes sample application, documentation and library for embedding
functionality in mobile apps
▪ Available free of charge for RSA customers and RSA Secured
partners
Developers can choose from the following functionality
▪ SecurID OTP Module
− Import software tokens, generate OTP
− User visible or invisible OTP

37
R I S K - B A S E D A U T H E N T I C
AT I O N

38
So what does RBA actually mean….
Risk-based authentication (RBA) identifies potentially risky or fraudulent authentication attempts by silently analysing
user behaviour and the device of origin. RBA strengthens RSA SecurID authentication and traditional password-
based authentication. If the assessed risk is unacceptable, the user is challenged to further confirm his or her identity
by using one of the following methods:
•
•
On-demand authentication (ODA). The user must correctly enter a PIN and a one-time token code that is
sent to a preconfigured mobile phone number or e-mail account.
Security questions. The user must correctly answer one or more security questions. Correct answers to
questions can be configured on the Self-Service Console or during authentication when silent collection is
enabled.

39
How it works
R I S K - B A S E D A U T H E N T I C
AT I O N
Web Browser
Protected
Resources
Identity
Challenge
?
On-Demand
Tokencode
Challenge
Questions
PAS
S
User
Behavior
FAIL
Access Denied
OWA
SharePoint
SSL VPN
Web Portals
PAS
S
RISKY
Authentication
Policy
Assurance
Level
RSA
Risk Engine
Activity Details
Device
Fingerprint
Network
Forensics
Device Token
Profile Relative Velocity
Device
Identification

40
Strengthens traditional password
authentication by silently applying
risk- based analytics
−Is the user authenticating from a
known device?
−Does the user’s behavior match
known characteristics?
Risky authentication attempts require
additional validation
− Security Questions
− On-Demand Authentication
R I S K - B A S E D A U T
H E N T I C AT I O N ( R B
A )
1
3
2
4
1
2
3
4
1st Factor:
2nd Factor:
3rd Factor:
Something you KNOW
Something you HAVE
Something you DO
Step-Up : Something you KNOW or HAVE

41
Proven sophisticated risk engine
− Same risk engine as Adaptive Auth
− Protects 350+ million online identities
Optimized for Enterprise use cases
− Optimized for: Network Security vs. Fraud
Mitigation
− Predictable: Use case vs. challenge rate
− Simplified: Assurance levels vs. risk scoring
Self tuning risk model adapts to each customer
environment
− Common device characteristics are de-prioritized
in the risk score
− Suspicious behavior is based on norms for the
overall user population
T H E R S A R I S KE N G I N
E
RSA Risk Engine

42
ON - D E M A N D A U T H E N T I C
AT I O N
Bundled with RBA License
Utilise SMS or Email
Customizable Message
Configurable Validity
Contractors, Vendors,
Backup Authenticator

43
A M W E B T I E
R

44
A M W E B T I E
R
Lightweight application installed in the DMZ that hosts services exposed to the Internet
▪ Enables secure deployment of
− RBA
− Self-Service
− CT-KIP (Cryptographic Key Initialization Protocol)
Above services require a web tier for the following reasons
−Blocks Internet access to the Security Console
−Allows customization of the RBA/Self-Service logon pages
−Up to 16 web tiers

45
A U T H E N T I C AT I O N M A N A G E R
A R C H I T E C T U R E

46
A M O N LY A RC H I T E C T
U R E
For Critical Infrastructure
Resources
• SAML
• Http-Federation
• Trusted Headers
• RADIUS
• SecurID Protocol
• REST API
Authentication Methods
• Push
• Device Biometrics
• OTP
• Voice/SMS
• FIDO
• Soft Token
• Hard Token
• RBA/On-Demand Token
• Identity Confidence
• SSO
Risk Level
• User
• Resource
• Context

47
A G E N T
S

48
W H AT I S A N A G E N T
?
A SecurID agent is installed or embedded on an access point (VPN, Web Site, Server)
that accepts credentials from an end user (Username + Passcode) and directs them to
Authentication Manager.
Agent Options
1. Native (RSA Partner Program)
2. Downloadable (RSA Owned)
3. RADIUS
4. SDK (until 8.3, Now Rest API)

49
W H AT D O E SA N A G E N T D
O ?
Trust
▪ Mechanism to allow mutual trust between Agent and Server. Protection from a malicious user
impersonating the agent or a Server.
Authentication
▪ Intercept access attempts
▪ Collect Credentials
▪ Verify with Server
▪ Provide (or deny) access
▪ Single Sign On
▪ Support for New Pin Mode, Next Token Mode
How do I know if a resource can be protected by SecurID? www.rsasecured.com
▪ Search by product or vendor
▪ Ex. Cisco ASA
▪ Displays RSA and 3rd Party owned Agents

50
R S AS E C U R E D ® PA R T N E RP R O G R
A M ( N AT I V E )
Out-of-the-box interoperability and
documentation for 400+ partner
applications
Reduce integration costs
Ensure interoperability through
stringent
certification program
Compatibility maintained through
integration updates
Fully supported by RSA and its
partners

51
Features:
• Next Generation SecurID Agents
Benefits:
• Agent connects to RSA SecurID Access AM Server
or Cloud Authentication Service
• More Authentication Options: (Push to Approve,
Fingerprint, Windows Hello, etc…)
• Stronger Security / Cryptographic Algorithms
(FIPS
compliant is target plan)
• Connect via REST (TCP) instead of UDP
• IPv6
• Agent Reporting
Authentication
Manager
Cloud Authentication
Service
1. PAM v8.1
2. ADFS
3. MFA AGENT (Windows)
4. Web
5. Citrix Storefront
NOTE: GEN II agents developed in parallel by the Agent
Team with close collaboration with AM Teams
GEN II SecurID
Agents

52
R S A L I N KS O L U T I O N G A L
L E RY
Search all
solutions
https://community.rsa.
com/community/prod
u cts/rsa-ready

53
D O W N L O A D A B L E ( R S A
O W N E D )
Some agents are owned by RSA Agents to provide tighter integration
Assures integration is always up to date
Windows/PAM Agent
▪ Protects Windows/Linux logon
− Servers, Laptops, RDP, Terminal Services…
▪ Offline Authentication available
IIS/Apache Agent
▪ Protects websites served by these 2 web servers
▪ Exchange/Sharepoint protection available (IIS only)
▪ Optional RBA support available

54
R A D I U
S

55
W H AT I S R A D I U
S ?
• Remote Authentication Dial-In User Service
• Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables
remote access servers to communicate with a central server to authenticate dial-in users and authorize their
access to the requested system or service.

56
R A D I U S C L I E
N T
A RADIUS client is any device that supports the RADIUS protocol
Are typically network endpoint devices such as
▪ Network Access Server (NAS)
▪ Firewall
▪ 802.1x Access Point
▪ VPN Server
▪ Web Server
Serves as the gateway to the network
▪ Provides the interface for user interaction (credential input,
etc)

57
W H Y I S R A D I U S I M P O R
TA N T ?
• An industry standard for authentication
- Numerous network access products are enabled for RADIUS
- Supports a wide variety of authenticators
• OTP Tokens
• Challenge/Response
• Passwords
• Certificates
• Ability to integrate with other authentication services
- RADIUS Accounting, Access Control and Authentication can be proxied to other systems (such as
AM or Windows AD)
• Used in about 2/3 of SecurID deployments

58
• The Authentication Agent SDK enables applications to authenticate via the RSA SecurID protocol.
• Supports the Java and C programming languages (the C library can also be utilized in a .NET
environment as unmanaged code).
• This SDK can perform SecurID authentication with Authentication Manager versions 5.x, 6.x,
7.1, 8.x.
SDK – S O F T WA R E D E
V E L O P M E N T K I T

59
R E S TA P
I
• A REST API defines a set of functions which developers can perform requests and receive
responses via HTTP protocols.
• Because REST API’s use HTTP, they can be used by practically any programming language.

RSA SecurID Authentication API is a REST API for developers who want to build clients that send
authentication requests to RSA SecurID Access, either through the RSA Authentication Manager
server, the Cloud Authentication Service, or both.
https://community.rsa.com/docs/DOC-75741
60

61
C O N F I D E N T I A L
Benefits of REST
API:
REST is simple.
➢ other APIs have to follow a lot of rules that make them challenging to use. In practice, this
formality, power, and flexibility generally gets in the way of doing what you want to do,
costs a lot more to implement and maintain, and is generally more trouble than it's worth.
REST is "of the web".
➢ Not only does REST assume HTTP but it adopts all of the well understood mechanisms
of HTTP. A web app developer can be very productive very fast -- both creating and
consuming these APIs -- because it just like working with a web page.
JSON which is the native data format for JavaScript, the language in all of our web
browsers... thus it's a more web-centric approach.
REST is object centric not message centric.
➢ REST wants you to focus on the THINGS in your application With REST, you can only do
four things GET, POST, PUT, and DELETE. In practice that covers about 90% of what
you want to do.

62
R E V I E W - W H AT D O E S A N
A G E N TD O ?
Trust
− Mechanism to allow mutual trust between Agent and Server. Protection from a malicious user
impersonating the agent or a Server.
Authentication
− Intercept access attempts
− Collect Credentials
− Verify with Server
− Provide (or deny) access
How do I know if a resource can be protected by SecurID? www.rsasecured.com
− Search by product or vendor
− Ex. Cisco ASA
− Displays RSA and 3rd Party owned Agents

63
V I R T U A L & P H Y S I C A
L A P P L I A N C E
Virtual Appliance
Deployable in 10-20 minutes
Hardened Security Profile to meet E
M
C
/
R
S
A
compliance
Hardened SUSE OS
 S u p p o r t for VMWare & Hyper-V
Physical Appliance
• Model A130 & A250 (Redundancy)
• Same or Cross Platform Migration
• SNMP Hardware MIB
• Deployable in 10-20 minutes
• Hardened Security Profile to meet EMC/RSA
compliance
• Remote Factory Reset
Optimised Deployments: Mix & Max Between Virtual / Hardware Appliance
Simple, Secure
deployment
Standards-based
Platforms
Lower Deployment
Costs

64
C O N S O L E S I N
A M

65
S E C U R I T Y C O N
S O L E
65
• Main administrative interface
• Manage users, groups, tokens, agents, policies
• Generate reports, configure admin roles and system settings

66
O P E R AT I O N S C O N S O
L E
66

67
S E L F - S E R V I C E C O N
S O L E
67
• Base License – Basic Self-Service
• Enterprise License – Workflow Provisioning

68
P R I M A RY A N D R E P
L I C A’ S

69
A primary is the main “instance” of the
RSA Authentication Manager
deployment
It is the master database hub
The primary is where the administration
functions are performed – “Read-
Write”
There is only 1 primary in a deployment
P R I M A RY A N D R E P
L I C A S

70
Used for accepting authentication
requests and providing backup
capabilities
Can be multiple, up to 15
Synchronized database copy
Can become the primary in a planned
or unplanned scenario in a
process called ‘Promotion’
Read-Only
R E P L I C
A S

71
J O U R N E Y TO T H E
C L O U D

72
SecurID Protocol
-OR-
RADIUS
REST API
SAML
WS-Fed
Etc.
AM IDR

73
C O N V E N I E N T & S E C U R E A C C E S S I N A W O R L D
W I T H O U T B O U N D A R I E S
R S A S E C U R I D A
C C E S S
The Gold Standard
for Strong Authentication
The Next-Generation
of Identity Assurance
• Trusted by 25,000+ Enterprises
• More than 50 million active users
• 500+ certified technology partners
• Dynamic risk-based Identity Assurance
• Mobile MFA: Push, OTP, biometrics & more
• Any application: on-premises or in the cloud
• SaaS delivery, subscription pricing

74
C O N N E C T T O A N
Y T H I N G
Centralised
Access
Policies
SaaS
Applications
Traditional/on-premise
Applications (400+ RSA
SecurID integrations)
Web
Applications
Mobile
Applications
(SAML-Enabled)

75
75
P R O T E C T C L O U D A P P S A N D C O N T R O
L A C C E S S W I T H S S O
Centralized
Access
Policies
SaaS
Applications
Traditional/on-premise
Applications (400+ RSA SecurID
integrations)
Mobile Applications
(SAML-Enabled)
SecurID Tokencode
Pull down to check for
authentication
3905 0001

76
F R O MA N Y W H E
R E
Optimise
Security &
Convenience
At Work
Remote
On Mobile

77
T H E R S A D I F F E R E N C E :A H Y B R I D
A P P R O A C H
• A secure approach to
supporting on-prem
applications
• Sensitive user & org
information remains on-
premises
• Active Directory passwords
are NEVER sent to cloud
• Dedicated runtime not
shared
with other tenants
Web
Reverse Proxy
Active Directory
/LDAP
Authentication
Manager
8.x
SecurID Access
Identity Router
App Portal

78
R S A S E C U R I D A C C E S S A R
C H I T E C T U R E

79
Next Generation Authentication
Resources
• SAML
• Http-Federation
• Trusted Headers
• RADIUS
• REST API
• Push
• OTP
• Voice/SMS
• FIDO
• Soft Token
• Hard Token
• SSO
Risk Level
• User
• Resource
• Context
I D R O N LY A R C H I T E C T
U R E

80
F U L LH Y B R I D A R C H I T E C T
U R E
Maximum Flexibility
Resources
• SAML
• Http-Federation
• Trusted Headers
• RADIUS
• REST API
• Push
• OTP
• Voice/SMS
• FIDO
• Soft Token
• Hard Token
• SSO
Risk Level
• User
• Resource
• Context

81
C L O U D I D P A R C H I T E
C T U R E
Lightweight Requirements
Resources
• SAML
• Http-Federation
• Trusted Headers
• RADIUS
• REST API
• Push
• OTP
• Voice/SMS
• FIDO
• Soft Token
• Hard Token
• SSO
Risk Level
• User
• Resource
• Context

82
S E C U R I D A C
C E S S
U S E RC A S E
S

83
5 A C C E S S U S E C A S E S F O R T H AT
N E E D 2 FA / M FA
C L O U D A P P
S
D I G I T A L
W O R K S P A C
E S
N E X T - G E
N
F I R E W A L
L
P R I V I L E G E
D
A C C O U N T S
VPN

84
VPN

85



MFA for VPN
▪ Something you have and know
▪ High-level of security
▪ Always on and available
▪ Broadest number of use scenarios
VPN
Remote Access (VPN)
▪ Remote access is critical for today’s
distributed and mobile workforce
▪ Passwords are easily compromised
and used in attacks
Mobile MFA for VPN
▪ Offer smartphone-based options
▪ Provide users with more choices
▪ Streamline user provisioning
▪ Apply auth method based on risk
Machine Learning
Risk-based Analytics

86
P R I V I L E G E
D
A C C E S S M
G M T
* M FA
Password Vault
▪ Automatically rotates and controls
access to privileged account
passwords
▪ Defaults to password-level security for
access
▪ Very attractive target for attackers
Multi-factor Authentication
▪ Protect front door access to PAM
solutions and other privileged accounts
▪ Offer a broad set of authenticators
▪ Use machine learning risk analytics to
increase security and reduce friction
▪ Secure cloud admin tools like AWS and
Azure management consoles



Machine Learning
Risk-based Analytics

87
C L O U D C R E AT E S N E W
C H A L L E N G E S
L I M I T E D V I S I B I
L I T Y
creates gaps between
“islands of identity”
A N Y T I M E A C C E
S S
that’s convenient to any
cloud app from any device
PA S S W O R D S
are easy to compromise
and reuse undetected
12345678

88
S E C U R I N G A C C E S S TO C L O U D
A P P L I C AT I O N S
M U LT I F A C T O R
A U T H E N T I C AT I
O N
• Give users choice and convenience
with a broad set of MFA options
• Bridge islands of identity, and limit
multi-vendor costs with one
authentication platform
• Eliminate user friction and preserve
the cloud simple UX with risk based
analytics
• Provide a consistent experience for
on-prem and cloud apps

89
89
4
Palo Alto requests
identity assurance from
RSA (SAML, RADIUS
or API)
6
ID verified
5
RSA challenges user
User
3
Palo Alto prompts user
for MFA
1
Access application
Palo Alto Networks
Next-Gen Firewall
7
Access granted
2
Check policy
Multi-factor
authentication methods
APP SERVER
IOT DEVICES
ISOLATED NETWORK
E N F O R C E M
FA
AT T H E
F I R E WA L L
Next-Gen Firewall + MFA
▪ Mitigate identity risk with a multi-layer
approach to secure access
▪ Save time and money deploying multi-
factor authentication by avoiding the
need to modify applications
▪ Increase security and reduce user
friction with machine learning risk
analytics and mobile authentication
methods
▪ Bridge islands of identity across
custom apps, IoT devices and isolated
networks
▪ Provide security and convenience by
challenging users according to the
level of risk

90
MULTI-FACTOR
AUTHENTICATIO
N
D I G I TA L
W O R K S PA C
E S
Application
Mgmt
Endpoint
Mgmt
User
Mgmt
* M FA
Application and Device Management
▪ Delivers cloud-based, on-prem and
virtual applications
▪ Supports BYOD and corporate
owned
device models
▪ Provides consumer-simple SSO
Multi-factor Authentication
▪ Protect front door access to digital
workspace SSO portal
▪ Offer a broad set of
authenticators
▪ Step up authentication to individual
apps based on the level of risk.
▪ Use machine learning risk analytics to
increase security and reduce friction

91
AUTHENTICATORS
C O N F I D E N T I A L

92
R S AS E C U R I D TO K
E N S
Traditional Authenticators
Software Token
Hardware Token

93
Approve
Software Token
Device Biometrics
R S AS E C U R I D ®
AU T H E N T I
C AT E
Enhanced Authenticators

94
R S A S E C U R I D
A U T H E N T I C
AT E

95
R S A S E C U R I D
A U T H E N T I C
AT E

96
R S A S E C U R I D
A U T H E N T I C
AT E

97
R S A S E C U R
I D S O F T WA
R E TO K E N

98
• MyPage
• RSA Hosted Self-Service
• QR Code and Activation code
• just like SW Token
M FA E N R O L M E
N T

99
S E C U R I D A P P –
M O B I L E M
FA
SecurID Tokencode
Pull down to check for authentication
3905 0001
Provisionless
OTP (Token)
Push Notification
(1 tap approve)
Touch ID
(fingerprint)
SKIP TO TOKEN
FINGERPRINT
Face ID
(iPhone X)

100
FIDO Tokens – A standard (U2F) for a specific type of hardware token from any supporting vendor.
E.g. Yubikey. (* Fully supported but not sold by RSA)
SMS / Robocall Option – for non-smartphone users (* extra licence cost)
Full Support for Traditional Tokens – keep existing fleet or leverage traditional HW or SW token

101
“ C H A I N I N G ” A U T HM E
T H O D S
SecurID Tokencode
Pull down to check for
authentication
3905 0001
FINGERPR
SKIP
TO
INT
TOKEN
You can chain almost any combination of 2 methods to provide
Higher Assurance
of a user’s identity when they access something

102
Device Registration
SECURID ACCESS USER EXPERIENCE
Approve PIN protection Fingerprint
sp45
sp41

103
RSA SECURID ACCESS
AUTHENTICATION SYSTEM
The Platform

104
User
Resource
R S AS E C U R I D ACC
E S S
Traditional Identity Assurance

105
Resource
E S S
User

106
Resource
Granted
E S S
User

107
Denied
Resource
E S S
User

108
Resource
E S S
Seamless Identity Assurance
User
Risk Level
User
❑ Admin
❑ Executive
❑ Worker
Resource
❑ I.P
. Data
❑ Classified
❑ Public
Context
❑ Network
❑ Location
❑ Behavior
❑ Country
❑ Agent
❑ Browser

109
Granted
Resource
E S S
User User
❑ Admin
❑ Executive
✓ Worker
Resource
❑ I.P
. Data
❑ Classified
✓ Public
Context
✓ Network
✓ Location
✓ Behavior
✓ Country
✓ Agent
✓ Browser
Risk Level

110
Step-Up
– Token
– Biometric
– Push
Resource
E S S
User User
❑ Admin
❑ Executive
✓ Worker
Resource
❑ I.P
. Data
❑ Classified
✓ Public
Context
× Network
× Location
✓ Behavior
✓ Country
✓ Agent
✓ Browser
Risk Level

111
Denied
Resource
E S S
User User
❑ Admin
❑ Executive
✓ Worker
Resource
❑ I.P
. Data
× Classified
❑ Public
Context
× Network
× Location
× Behavior
× Country
× Agent
× Browser
Risk Level

112
Step-Up
– Token
– Biometric
– Push
Denied
Granted
Resource
E S S
User
Risk Level
User
❑ Admin
❑ Executive
❑ Worker
Resource
❑ I.P
. Data
❑ Classified
❑ Public
Context
❑ Network
❑ Location
❑ Behavior
❑ Country
❑ Agent
❑ Browser

113
Risk-based Authentication
Access in context
RISK RISKY
PASS DENY
Device App
Role Location Behavior
MACHINE
LEARNING
Pervasive MFA
Certified and supported
C R I T I C A L S E C U R E A C C E S S
C A PA B I L I T I E S
Modern MFA Methods
Easy & convenient
Push Mobile OTP Biometrics Text Msg Voice Call
Proximity
HW Token Wearables
SW Token FIDO
Assurance Levels
Challenge according to the level of
risk
Security
Risk

114
Network
Session App
Device
Role
RISKY
PASS
Location
Static User and
Context Rules
Deny
Behavior-based
Confidence
I N T E L L I G E N C E D R I V E N I D E N T I T
Y A S S U R A N C E
Approve Tokencode RSA SecurID
FIDO
Eyeprint ID
Fingerprint
Location
Time
App
Network
Device
Access
Pattern

115 C O N F I D E N T I A L
H O WW E D E T E R M I N E I D E N T I T Y C
O N F I D E N C E
Time
• Is this a normal access time
• Is this a weekend
Application
• Is this a common or uncommon application for the user
Device
• Is this a recognized device for this user
• A user account is being used simultaneously on more than one device
• Device language settings
Access patterns
• High authentication velocity: user authenticates unsuccessfully many times quickly
• Multiple users are authenticating from the same IP
Location
• Physical location of a user (estimated from HTML5 and IP Geolocation)

116

117

118

119

120 I N T E R N A L O N L Y
MARKET OVERVIEW – SECURID SUITE
Customer Profile:
• Size: SMB to global enterprise
• Industries: All verticals
• Protect applications & access from on-premise to cloud with convenient yet secure MFA
Customer problems:
• Need to protect cloud apps with more than just username & password with convenient yet secure MFA
• Next generation authentication required to allow for secure but convenient authentication
• Need to meet audit or regulatory controls for user access management
Questions to ask:
• How do you protect cloud-based apps
• Do you have islands of identity (uncontrolled SaaS
services)
• What would happen if you were breached via a cloud app
• Are you failing any security audits or regulatory
compliance around access management
Things to listen for:
• Two-factor authentication or multi-factor authentication
• Gain control
• Gain visibility to who has access to what

121
121
Security Sensitive
High Touch
Low Touch
Convenience Driven
PROFILE / MATURITY
SIZE / COMPLEXITY
T H E F O U R K E Y C U S TO M E R
C O N V E R S AT I O N S
Modern Authentication
Ensure seamless user access to critical resources with MFA options that are securely managed,
aligned to risk, work uniformly from ground-to-cloud and are adaptable to any situation or need
Identity Assurance
Mitigate risk and ensure the highest levels of identity assurance for
sensitive use cases while further reducing sources of friction that can
inhibit end user productivity
Enterprise Grade
Provide best-in-class support for complex environments, diverse
user populations and custom tools & workflows with enterprise
grade reliability, performance & scale
Journey to the Cloud
Enable customers to take that “next step” in their journey to
the cloud with minimal friction and with options aligned to
their individual risk tolerance, timing and phase of maturity
R S A C O N F I D E N T I A L . I N T E R N A L U S E O N L Y

122
122
Compliance
I face ongoing compliance regulations and
internal policies that I must adhere to for strong
auth.
Prevent Fraud
I am fighting malware such as Trojans and don’t trust
my end users (or their PCs). How, I have to trust them
due to both business & regulatory reasons
Enable Mobility
It is difficult to cost-effectively and accurately manage
auth for multiple types of remote workers and
multiple apps
Enterprise Authentication
Secure Access
I am planning to shift my auth and IT infrastructure to
the cloud to lower costs and ease admin burden.
C U S T O M E R C H A L L E N G E S : F
O U R M A I N D R I V E R S

123
RSA SECURID
COMPETITIVE INTEL

• Microsoft
• Gemalto
• Duo
CONFIDENTIAL

CONFIDENTIAL
• Microsoft offers two options for MFA: Microsoft MFA for Office 365, or MFA
capabilities built into Microsoft Azure Active Directory Premium.
• Authentication is assigned for all the apps or none of the apps.
• One authentication option for when users are offline.
• Microsoft offers just one option for user cases where mobile phones are prohibited
or mobile service is unreliable
Microsoft MFA

CONFIDENTIAL
What you should know
SecurID vs Microsoft :
• The organisation has both on-premise and cloud user cases
• The organisation has a security-first mindset and understands the need for
Identity Assurance.
• The organisation needs at least some hardware or desktop, software tokens

CONFIDENTIAL
Gemalto
• Safenet Authentication Manager (SAM) with OTP, certificate-based and software
authentication options.
• Safenet Authentication Service delivered from SafeNet cloud with token options,
as well as mobile.
• SafeNet Trusted Access provides authentication for SaaS based applications and
SSO.
• Does not offer Identity Governance and Lifecycle

CONFIDENTIAL
Questions customers should ask Gemalto?
• How can l be confident your roadmap will align to our future authentication and
identity management needs?
• Will Thales acquisition of Gemalto change your roadmap, your structure or your
position in the access and identity management market (IAM)?

CONFIDENTIAL
DUO
• Limited capability in supplying rich contextual and user behaviour analysis
• DUO uses partners to support Governance and Lifecycle Management
• No stand-alone on-premises deployment option
• MFA capability
• Endpoint visibility

CONFIDENTIAL
Questions customers should ask DUO?
• What is the largest deployment size that can be supported by DUO Trusted
Access?
• Can l Deploy DUO without requiring an on-premises component?

CONFIDENTIAL
• Customized Authentication methods based on application assurance levels.
• Support for Offline Authentication.
• Solution for situations were smartphones cant be used.
• Strong Identity Assurance
• RSA Ready Program
• Optional On-Premises Deployment

133
RSA SECURID ACCESS
LICENSING
Product Packaging

134
RSA SECURID
ACCESS:
BASE
Future Proofing Platform
• Advanced Policies
• Authentication Context
• HA/Failover
• AMBA
• SSO Portal
• Token Based Authentication (Hard/Soft/ODA)
• Enhanced Authenticators (Authenticate/FIDO)
• RADIUS/SID Protocol Support
• SAML/HTTP Fed/Trusted Headers Support
• IP Address Contextual Authentication

135
High Availability and Bulk Token Deployment
• HA/Failover
• AMBA
• SSO Portal
RSA SECURID
ACCESS:
ENTERPRISE

136
RSA SECURID
ACCESS:
PREMIUM
Next Generation Authentication
• HA/Failover
• AMBA
• SSO Portal

137
Demo Time!

138
AUTHENTICATION MANAGER 8.4
138

139
SOME FACTS
• Host RSA Authentication Manager 8.4 in the Microsoft Azure cloud
• AM 8.4 Cloud Value
• Upgrade Path to AM 8.4
139

140
AUTHENTICATION MANAGER 8.4 P4

141
PATCH 4 UPDATES
• AM 8.4 Patch 4 allows you to connect RSA Authentication Manager to the Cloud Authentication Service and
quickly roll out modern MFA to your users.
• You do not need to replace or update your existing agents
• Security Console wizard to configure the connection and invite users to authenticate to the Cloud.

CONFIDENTIAL
AM 8.4 AM 8.4 P4 Comments
IDR deployment and CAS*
connection
Needed Needed Needed for CAS user sync
IDR connection in AM Needed Available/Optional Supports
Authenticate Tokencode
Connect to CAS* Not Available Available Supports
Authenticate Tokencode
PIN+Approve
Authenticate Tokencode Supported Supported Supported in
IDR
Connect to
CAS
PIN + Approve** Not Supported Supported Only for Connect to CAS
CONNECT TO CLOUD DEMYSTIFIED
*CAS - Cloud Authentication Service
**Details discussed in next slides
142

143
JOURNEY TO CLOUD
Authentication Manager 8.4 Patch 4
CONFIDENTIAL

Authentication
Agents
SecurID Access
Authentication
Manager
User
RSA SecurID
Software
Tokens
RSA SecurID
Hardware
Tokens
Authenticate App
Token
IDR
Approve

145
CONFIDENTIAL
✓ Enabling seamless one-time Configure the Cloud Connection
✓ Ability to Invite users to enroll for MFA
✓ Expand Authentication Methods to support Mobile MFA (PIN + Approve)
✓ Support for Unified users dashboard for SecurID Access Users
✓ What happened to my IDR connection?
THE HOW

SecureID RSA, Multifactor Authentication

147

148

149

150

ENABLE/DISABLE CLOUD AUTHENTICATION
151
CONFIDENTIAL

CLOUD AUTHENTICATION STATUS: ENABLED
152
CONFIDENTIAL

✓Cloud Authentication Service and Authentication Manager has to be connected to the same
identity source.
✓Authentication Manager has to be connected to Cloud Authentication Service.
✓SMTP service has to be configured in Authentication Manager.
154
CONFIDENTIAL
PRE REQUISITES

155
ENABLE MFA WITH EXISTING AGENTS (PIN +
APPROVE)
CONFIDENTIAL

As an existing SecurID customer, my users should be able to use
”existing PIN” + “Mobile MFA method Push to Approve”
versus using their Passcode to access existing applications (VPN, etc.).
156
CONFIDENTIAL
REQUIREMENT

✓Authentication Manager has to be connected to Cloud Authentication Service.
✓Cloud Authentication should be enabled in Authentication Manager
✓Cloud Authentication Service and Authentication Manager are connected to same identity
source
✓Policy must contain Approve.
✓User has RSA SecurID Authenticate app registered with Cloud Authentication Service.
157
CONFIDENTIAL
PRE REQUISITES

158
Thank You!

159
Any Questions?

SecureID RSA, Multifactor Authentication

More Related Content

Similar to SecureID RSA, Multifactor Authentication (20)

Recently uploaded (20)

SecureID RSA, Multifactor Authentication