Setting up Two-factor authentication - RSA SecurID(Feature available only in Premium and Enterprise editions)
Summary of steps:
- Configuring two-factor authentication in Password Manager Pro.
- Setting up Password Manager Pro - RSA SecurID integration.
- Enforcing two-factor authentication for required users.
Step 1: Configuring two-factor authentication in Password Manager Pro
- Navigate to Admin >> Authentication >> Two-factor Authentication.
- Choose the option RSA SecurID.
- Click "Save".
- Then, click on Confirm to enforce RSA SecurID as the second factor of authentication.
Step 2: Enforcing two-factor authentication for the required users.
- Once you confirm RSA SecurID as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom two-factor authentication should be enforced.
- You can enable or disable two-factor authentication for a single user or multiple users in bulk from here. To enable two-factor authentication for a single user, click on the 'Enable' button beside their respective username. For multiple users, select the required usernames and click on 'Enable' at the top of the user list. Similarly, you can also 'Disable' two-factor authentication from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-factor Authenitcation.
How to connect to Password Manager Pro web-interface when TFA is enabled?
The users for whom two-factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Password Manager Pro's local authentication or AD/LDAP authentication. Depending on the type of TFA chosen by the administrator, the second level of authentication will differ as explained below:
- Upon launching the Password Manager Pro web-interface, the user has to enter the username and local authentication or AD/LDAP password to login to Password Manager Pro and click "Login".
- Against the text field "RSA Passcode", enter the RSA SecurID passcode. The passcode could be a combination of PIN and Tokencode or just Tokencode alone or On-Demand PIN depending on the configuration done in RSA Authentication Manager.
- If you want to leverage RSA On-Demand authenticator, select "RSA On-Demand" and proceed. In this case, you need to give the On-Demand Tokencode as specified in case 3 below.
TFA using SecurID - Different scenarios in logging into Password Manager Pro
Case 1 - Entering user generated / system created PIN
As mentioned above, the RSA passcode could be a combination of PIN and tokencode or just tokencode alone or a password depending on the configuration done in RSA Authentication Manager. If the settings in RSA Security Console demands the users to create a PIN on their own or use a system generated PIN, the following screen would be shown to the users after step 2 (that is, after entering the first password & RSA tokencode to log in to Password Manager Pro).User Created PIN
In the case of user created PIN, users will get the option to enter the PIN on their own. The PIN should contain numeric characters - minimum 4, maximum 8 characters. After entering the PIN, the user will have to wait for a while until the RSA tokencode changes to a new value. Then, in the next screen, enter the new PIN and the RSA tokencode to authenticate.System Created PIN
In the case of system created PIN, Password Manager Pro itself will randomly generate a PIN and it will be shown on the screen. Users will have to note down the new PIN and wait for a while until the RSA tokencode changes to a new value. Then, in the next screen, the users will have to enter the new PIN as generated by the system and the RSA tokencode to authenticate.
Case 2: New Tokencode Mode
If a user attempts to log in to Password Manager Pro using a random RSA passcode or by guesswork for a specified number of time, the RSA Authentication Manager will turn the screen to the next tokencode mode to verify whether the user possesses the token. In that case, PMP prompts for next tokencode during the login. That means, the user will have to wait until the RSA device shows a new tokencode and the new code to proceed with logging into Password Manager Pro.
Note: If the new tokencode entered by the user is wrong, Password Manager Pro will revert to the initial login screen. Users will have to start from entering the username again.
Case 3: Tokencode Mode
When RSA On-Demand authenticator is configured, you need to supply the Tokencode to log into Password Manager Pro. Tokencode will be sent to the registered email id or mobile number as configured in the RSA On-Demand authentication system.
If you have configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the Password Manager Pro secondary server once.