Help - RSA ID Plus MFA API Demo
You need to use your login credentials from the portal.rsa-demo.com environment. The user ID is the email address (firstname.lastname@securid-demo.com) and the password is the one you normally use for Singlepoint45.
If you haven't done so already, you need to install and register the RSA Authenticator app from Google Play or the Apple App Store.
If you do not do that you will not be able to complete step-up methods that do require the Authenticator app (doh!).
If you haven't done so already, you need to install and register the RSA Authenticator app from Google Play or the Apple App Store.
If you do not do that you will not be able to complete step-up methods that do require the Authenticator app (doh!).
The app can be installed from Google Play or the Apple App Store .
To register the app, open the app and after accepting the licensing agreement, use your browser to log into MyPage and scan the QR code there. Registration will complete and from then on you can use the app to complete the step-up authentication needed to by each challenge.
To register the app, open the app and after accepting the licensing agreement, use your browser to log into MyPage and scan the QR code there. Registration will complete and from then on you can use the app to complete the step-up authentication needed to by each challenge.
RSA ID Plus doesn't enroll you in the biometric authentication methods provided by the device you use. You have to enroll into Apple TouchID or Android fingerprint etc. yourself. If you already use
one of those biometric methods on the device you are using, no enrollment is required to use them inside the RSA Authenticator App.
The RSA ID Plus MFA API allows that the API caller (e.g. this demo application) can choose to opt for doing the primary authentication (for example Password or anything else) on its own. This means the application will validate the credential used in the first step.
Only after this first (primary... get it?) step, the MFA API is used to step-up the user should the policy require it.
Only after this first (primary... get it?) step, the MFA API is used to step-up the user should the policy require it.
The RSA ID Plus MFA API can also do both authentications (primary and step-up). In this case the MFA API end point in the cloud does forward the primary authentication credential to the on-premise RSA ID Plus Identity Router which will validate it against a user repository. For this demo the primary authentication method is always PASSWORD but the API also supports SECURID (a hardware or software token).
For this demo, we created three policies that are hard-wired to the three assurance levels. So Policy 1 maps to low, Policy 2 to medium and Policy 3 to high.
Assurance level low contains "Approve" and "Biometrics", medium contains "Authenticate Tokencode", high contains "SecurID and Approve".
RSA ID Plus allows lower level assurance levels to be fulfilled by methods in a higher level - this is why you can e.g. use "Biometrics" even for "Policy 1".
Assurance level low contains "Approve" and "Biometrics", medium contains "Authenticate Tokencode", high contains "SecurID and Approve".
RSA ID Plus allows lower level assurance levels to be fulfilled by methods in a higher level - this is why you can e.g. use "Biometrics" even for "Policy 1".
No! Not all features have been implemented (yet). For example "New PIN Mode" or "Next Tokencode Mode" for hardware/software RSA SecurID Tokens.
There might also be the occasional bug here and there inside this demo. If you find one, let the RSA TSE group know.
There might also be the occasional bug here and there inside this demo. If you find one, let the RSA TSE group know.
Should you switch on the "Collect device fingerprint", the geolocation of the device will be collected. You may see a prompt of your browser asking you for permission
to collect your location. If you agree but get second feelings about this, you can always remove this permission later in your browser settings.
The device fingerprint is collected by some Javascript. It is actually collected no matter what for this demo application but it is not submitted to RSA SecurID Access unless you enable the "Collect device fingerprint" switch. You can see the value of this fingerprint in the initialisation request.
"Remember this browser" does set a persistent cookie with a unique ID in it that helps identify this browser to the SecurID Access risk engine. If you don't select this, the cookie will not be set. You can of course remove the cookie if in your browser too after it has been set. You can see the value of this cookie in the initialisation request that is being send.
If you enable the "Collect device fingerprint" you'll notice that there are two more policies to choose from "Risk 1" and "Risk 2".
"Risk 1" will not require any additional authentication should the identity confidence be "high".
"Risk 2" requires additional authentication (to Assurance Level Low) in any case.
The device fingerprint is collected by some Javascript. It is actually collected no matter what for this demo application but it is not submitted to RSA SecurID Access unless you enable the "Collect device fingerprint" switch. You can see the value of this fingerprint in the initialisation request.
"Remember this browser" does set a persistent cookie with a unique ID in it that helps identify this browser to the SecurID Access risk engine. If you don't select this, the cookie will not be set. You can of course remove the cookie if in your browser too after it has been set. You can see the value of this cookie in the initialisation request that is being send.
If you enable the "Collect device fingerprint" you'll notice that there are two more policies to choose from "Risk 1" and "Risk 2".
"Risk 1" will not require any additional authentication should the identity confidence be "high".
"Risk 2" requires additional authentication (to Assurance Level Low) in any case.