10
November 2020

Cloudifying Multi-Factor Authentication for Privileged Access Management with RSA

Andy

Harris

RSA has a very interesting take on Identity and Multi-factor Authentication. They have a virtual appliance, called an Identity Router that is installed in a corporate network alongside the Active Directory (AD) Domain Controller. The Identity Router collects configuration from their cloud service. In this way it can query the Domain Controller for user login and have returned a list of group memberships. This means that AD is the source of truth about your users and their various group memberships.

RSA SecurID Architecture showing Identity Router

The Identity Router is very firewall friendly in that it only needs to make outbound requests to the RSA Cloud Service.

RSA's Cloud Service is where all your user's devices are enrolled. Here's a view of Andy in RSA's SecurID Cloud Service and the matching view of Andy in the Osirium PAM product.

Andy as seen in RSA SecurID Cloud Service
The "Andy Harris" user in RSA

Andy as seen in Osirium's PAM
The "Andy Harris" user in Osirium PAM

The Identity Router has an internally facing Radius Authentication service which our Privileged Access Management (PAM) product can use as an Authentication Service on a per user basis.

The user experience is excellent, as you can see in this demo.

If the users device is on-line - then experience is a very easy to use push request to their device, in our case we saw the notification, and then we needed FaceID to open our devices to see the SecurID request:

RSA Sign-in request notification

If the user finds themselves in an off-line situation, for example they have no access to WiFi or there isn't any mobile data service in their area they can use the token number that is displayed on their device. This number follows a random sequence that is known to the Identity Router:

Approve the sign-in in the RSA Authenticator

Token generation when the phone is offline

We made our tests using a mix of iPhone 11 and iPhone 11 Pro devices. Having tested a number of MFA solutions with Osirium products we were struck by how reliable the RSA solution is. During testing, we left connections open, entered the wrong token numbers and passwords, took too long with FaceId and many other typical user behaviours. We found that when we got it wrong it was obvious, and when we got it right it worked every time, zero failures.

So there you have it, using Active Directory as the source of truth regarding your user identities and the RSA Cloud Service providing a neat reliable cloudified MFA service with a simple, low friction fallback to token numbers.

As always, if you'd like to know more about Osirium's products running with RSA, please get in touch.

Click to chat