How RSA SecurID authentication works

Before you begin

When you enable RSA SecurID authentication on the page Two-Factor Authentication, the logon process for an administrator accessing the Security Manager URL is as follows:

Steps

  1. The Security Manager detects that RSA SecurID authentication is enabled and available, and displays the RSA version of the logon screen. (The “Forgot my password” link on this screen does not apply to SecurID passcodes.)
  2. Administrators provide their two-factor authentication credentials as defined by their organization. For example:
    • The SecurID user name might be the administrator’s email address or network logon name.
    • The passcode is usually a PIN combined with a token code supplied by a separate hardware or software token; the format depends on each organization’s configuration.
  3. The authentication mechanism searches the local repository for a user profile that matches the user name provided. If there is no match, the search is repeated in the directory service. If a network user is found, the Security Manager looks for groups that have been assigned permissions in the system, and the RSA logon proceeds if an intersection is found between the groups.
  4. The Security Manager custom agent checks the SecurID user name and the passcode against the Authentication Manager. If authentication fails, the authentication request falls back to Security Manager administrator credentials if configured; otherwise, the administrator cannot log on.

    The custom agent supports the creation of a new PIN, if required, as part of the authentication process. This may be entered by the administrator or generated by the system. If applicable, the security criteria for the PIN are displayed on screen.