Transcription

SecurID Software Token Administrator'sGuide

Contact InformationRSA Link at https://community.rsa.com contains a knowledgebase that answers common questions andprovides solutions to known problems, product documentation, community discussions, and case management.TrademarksRSA Conference Logo, RSA, and other trademarks, are trademarks of RSA Security LLC or its affiliates ("RSA").For a list of RSA trademarks, go to https://www.rsa.com/en-us/company/rsa-trademarks. Other trademarksare trademarks of their respective owners.License AgreementThis software and the associated documentation are proprietary and confidential to RSA Security LLC or itsaffiliates are furnished under license, and may be used and copied only in accordance with the terms of suchlicense and with the inclusion of the copyright notice below. This software and the documentation, and anycopies thereof, may not be provided or otherwise made available to any other person.No title to or ownership of the software or documentation or any intellectual property rights thereto is herebytransferred. Any unauthorized use or reproduction of this software and the documentation may be subject tocivil and/or criminal liability.This software is subject to change without notice and should not be construed as a commitment by RSA.Third-Party LicensesThis product may include software developed by parties other than RSA. The text of the license agreementsapplicable to third-party software in this product may be viewed on the product documentation page on RSALink. By using this product, a user of this product agrees to be fully bound by terms of the license agreements.Copyright June 2020 World Wide Web Consortium, (MIT, ERCIM, Keio, oc-license (for https://w3c.github.io/webauthn/)Note on Encryption TechnologiesThis product may contain encryption technology. Many countries prohibit or restrict the use, import, or export ofencryption technologies, and current use, import, and export regulations should be followed when using,importing or exporting this product.DistributionUse, copying, and distribution of any RSA Security LLC or its affiliates ("RSA") software described in thispublication requires an applicable software license.RSA believes the information in this publication is accurate as of its publication date. The information is subjectto change without notice.THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." RSA MAKES NO REPRESENTATIONS ORWARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLYDISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2010-2021 RSA Security LLC or its affiliates. All rights reserved.June 2021

SecurID Software Token Administrator's GuideContentsPreface5About This Guide5SecurID Support and Service5Support for RSA Authentication Manager5Support for the Cloud Authentication Service and Identity Routers5RSA Ready Partner ProgramChapter 1: Overview67About the SecurID App8Supported Software Token Types8Management Features for Software Token8Provisioning Software Tokens9Provisioning and Distribution Methods9QR Codes10Dynamic Seed Provisioning10File-Based Provisioning (SDTID Files)11Compressed Token Format (CTF Strings)11App Transport Security Requirements for Dynamic Seed Provisioning11Provisioning Software Tokens Using the Security Console12Provisioning Software Tokens Using the Self-Service Console12Security Features for Software Token12Token Security on the Device12Next Tokencode Retrieval12Show or Mask PIN for iOS Devices13Detecting a Jailbroken or Rooted Device13Software Token ConfigurationDevice Binding1313Android Device Class GUID (globally unique identifier)13iOS Device Class GUID (globally unique identifier)13Android Device ID13Determine Your Device Binding OptioniOS Binding ID14143

SecurID Software Token Administrator's GuideDetermine Your Device Binding OptionToken Passwords15iOS Data Protection15Chapter 2: Installing and Using the SecurID App17Install and Manage the SecurID for iOS App18Install and Manage the SecurID for Android App18Upgrades18Internet Connectivity for CT-KIP URL18Font Size Setting18Device Changes18Authentication Procedures18Passcode Authentication (PINPad-Style)18Passcode Authentication (Fob-Style)19Tokencode-Only Authentication19Chapter 3: Troubleshooting21Problems Installing the SecurID App22Problems Importing Tokens23Problems and Workarounds41523Problems Authenticating27Error Messages28Information Messages29

SecurID Software Token Administrator's GuidePrefaceAbout This GuideThis guide is intended for RSA Authentication Manager administrators and IT personnel who will provision anddeploy software tokens. Do not make this guide available to the general user population, with the exception ofAuthentication Procedures on page 18, which an administrator might choose to distribute.This guide provides the following information:lA description of the supported token typeslAn overview of the methods for provisioning and deploying software tokenslInformation on security features provided for the software token applA troubleshooting section with workarounds for common issues, and a list of the error and informationalmessages provided by the app.lProcedures for using the software token app that an administrator can distribute to usersFor a complete list of SecurID documentation, see RSA Link.SecurID Support and ServiceYou can access community and support information on RSA Link at https://community.rsa.com. RSA Linkcontains a knowledgebase that answers common questions and provides solutions to known problems, productdocumentation, community discussions, and case management.Support for RSA Authentication ManagerBefore you call Customer Support for help with the RSA Authentication Manager appliance, have the followinginformation available:lAccess to the RSA Authentication Manager appliance.lYour license serial number. To find this number, do one of the following:lLook at the order confirmation e-mail that you received when your ordered the product. This email contains the license serial number.llLog on to the Security Console, and click License Status. Click View Installed License.The appliance software version. This information is located in the top, right corner of the Quick Setup, oryou can log on to the Security Console and click Software Version Information.Support for the Cloud Authentication Service and Identity RoutersIf your company has deployed identity routers and uses the Cloud Authentication Service, RSA provides you witha unique identifier called the Customer Support ID. This is required when you register with RSA CustomerSupport. To see your Customer Support ID, sign in to the Cloud Administration Console and click My Account Company Settings.Preface5

SecurID Software Token Administrator's GuideRSA Ready Partner ProgramThe RSA Ready Partner Program website at www.rsaready.com provides information about third-party hardwareand software products that have been certified to work with RSA products. The website includes ImplementationGuides with step-by-step instructions and other information on how RSA products work with third-partyproducts.6Preface

SecurID Software Token Administrator's GuideChapter 1: OverviewAbout the SecurID App8Supported Software Token Types8Management Features for Software Token8Provisioning Software Tokens9Provisioning and Distribution Methods9Security Features for Software Token12Software Token Configuration13Chapter 1: Overview7

SecurID Software Token Administrator's GuideAbout the SecurID AppThe SecurID app is authentication software that consists of a mobile app and separately installed softwaretokens. With a software token installed, the app generates 6-digit or 8-digit pseudorandom numbers, calledtokencodes (one-time passwords), at regular intervals. Authorized users with supported Android or iOS devicescan use a tokencode, in combination with a PIN, to access resources protected by SecurID, such as VirtualPrivate Networks (VPNs) and web applications.Before provisioning and deploying software tokens, you must decide:lHow users will authenticate. See Supported Software Token Types below.lWhether to generate SDTID files, CTF URL links, or CT-KIP URL links. See Provisioning and DistributionMethods on the facing page.lWhether to bind each token to a specific Android or iOS device or leave the default binding (device classGUID.) See Device Binding on page 13.Supported Software Token TypesSecurID supports the following software token types for user authentication:lPIN integrated with tokencode (PINPad-style). The user enters a SecurID PIN in the Enter PINscreen on the Android or iOS device to produce a passcode (one-time password). The user authenticatesby entering the passcode in the protected resource.lPIN followed by tokencode (fob-style). The user authenticates by entering a SecurID PIN in theprotected resource, followed by the current tokencode displayed on the device. The user experience issimilar to authenticating with a hardware fob that displays tokencodes.lTokencode only. The user authenticates by entering the current tokencode displayed on the device (noPIN required).Note: Because tokencode-only authentication does not use two-factor authentication, RSA stronglyrecommends that you require the standard logon password in addition to the tokencode. For more informationabout the proper use of tokens that do not require a PIN, see the RSA SecurID Software Token Security BestPractices Guide.Management Features for Software TokenThe SecurID app supports the following features for managing software tokens:lMultiple Token Support. Users can import up to 10 software tokens per device. An AuthenticationManager server can provision three software tokens to an individual user. SecurID software tokens canbe provisioned to the same device by different companies.lToken Nicknames. Users can set token names to identify their tokens. Token names are called"nicknames" in the authentication servers. Nicknames can contain up to 32 alphanumeric characters. In8Chapter 1: Overview

SecurID Software Token Administrator's Guideaddition, nicknames must be unique, are case sensitive, and cannot consist entirely of spaces.As the administrator, you can optionally set a nickname when configuring a token record. If you do notset a nickname, tokens are imported to the app with default names based on installation order: Token 1,Token 2, and so on. The user can rename tokens after importing them to the app.If you use Self-Service provisioning with Authentication Manager 8.1 or later, you can allow users to seta nickname when they request a token. The token is imported into the app with the user-suppliednickname.lDelete Token option. Users can delete any token. Users who delete all of their tokens must contact anadministrator to request replacement tokens, or use Self-Service if available.lToken Expiration Warning. Software tokens expire on the first second of the token expiration date(00:00:00 GMT). To ensure that the user always has a working software token installed, the app displaysa warning indicating how many days remain before the token expires, starting 30 days before theexpiration date. The user can contact the administrator or use a Self-Service (if available) to request areplacement token.Provisioning Software TokensTo provision software tokens and authenticate iOS device users, you need a supported version of AuthenticationManager.To provision software tokens and authenticate Android device users, you need a supported version of RSAAuthentication Manager, as described in the Release Notes, or RSA SecurID Authentication Engine 2.8.1 forJava.Authentication Manager supports two methods for deploying SecurID software tokens:lSecurity Console. You initiate the process of assigning and distributing the user’s token using theSecurity Console, a web-based administrative console.lSelf-Service Console. You configure Self-Service provisioning and allow the user to create an account.The user then enrolls to use Self-Service and requests a software token, using a web-based Self-ServiceConsole.Self-Service provisioning is included with the Authentication Manager Enterprise Server license.See RSA Authentication Manager documentation on RSA Link.RSA SecurID Authentication Engine (SAE) is an Application Programming Interface (API) that provides the backend authentication functions of RSA SecurID. After the API is successfully integrated into your environment, RSASecurID users can be authenticated without needing an RSA Authentication Manager server. For moreinformation, see RSA SecurID Authentication Engine Documentation on RSA Link.Provisioning and Distribution MethodsThis section provides an overview of the methods available for distributing software tokens to Android and iOSdevices.Chapter 1: Overview9

SecurID Software Token Administrator's GuideQR CodesSecurID supports scanning a CTF URL or CT-KIP URL encoded in a QR Code. The user points the device cameraat the QR Code to automatically scan the token into the SecurID app.Use one of the following methods to create the QR Code:lGenerate a QR Code in RSA Authentication Manager 8.x. RSA Authentication Manager 8.x cangenerate QR Codes that each contain a CT-KIP URL. To use this feature, the Self-Service Console isrequired. An administrator must create a software token profile that uses the iOS 2.x device type,dynamic seed provisioning (CT-KIP), and QR Codes. For instructions, see the RSA AuthenticationManager Administrator's Guide on the RSA Authentication Manager Documentation page on RSA Link.lConvert a CT-KIP URL to a QR Code with a Third-Party Conversion Tool. RSA AuthenticationManager 8.1 or later generates custom URLs containing CT-KIP data. The scheme portion of the customCT-KIP URL is com.rsa.securid. This scheme is required when using custom CT-KIP URLs to provisionsoftware tokens to the SecurID app. After generating a custom CT-KIP URL, use a third-party QR Codeconversion tool to embed the custom CT-KIP URL in a QR Code.lConvert a CTF URL or an SDTID file to a QR Code. You can generate a legacy-format custom CTFURL containing token data using RSA Authentication Manager 8.1 or later, but you must use a third-partyQR Code conversion tool to convert the custom CTF URL to a QR Code.If you use Authentication Manager to generate software token files (SDTID files), you can use the canuse the RSA SecurID Software Token Converter 3.1 (Token Converter 3.1) utility to convert an individualtoken file to a QR Code that contains a custom CTF URL.RSA SecurID Authentication Engine (SAE) for Java does not natively generate QR Codes. You must usethe Token Converter 3.1 utility to convert an SDTID file to a CTF URL embedded in a QR Code.When Token Converter 3.1 converts an SDTID file to a QR Code, the output is a JPEG file containing theQR Code image. The SecurID app can scan the QR Code to import the token. If you password-protect theSDTID input file, the app prompts for the password to complete the QR Code import.Download RSA SecurID Software Token Converter 3.1 from re-token-converter and followthe instructions in the RSA SecurID Software Token Converter 3.1 Administrator’s Guide.Dynamic Seed ProvisioningDynamic seed provisioning uses the Cryptographic Token Key Initialization Protocol (CT-KIP) to eliminate theneed for a token distribution file (SDTID file).Note: RSA recommends using dynamic seed provisioning because the CT-KIP process helps prevent thepotential interception of the token’s seed. Only use SDTID or CTF if your company policy dictates that theSecurID apps cannot connect to the Internet or that a CT-KIP server cannot be set up.You deliver a dynamically provisioned token to the SecurID app with a QR code or by sending an email messagecontaining a custom CT-KIP URL hyperlink to the email client on the user's device. The user taps the URL link inthe email or enters the link in the app to import the token.To support dynamic seed provisioning (CT-KIP) on iOS devices, you must make sure that the RSA AuthenticationManager server meets the App Transport Security (ATS) requirements. For more information, see App TransportSecurity Requirements for Dynamic Seed Provisioning on the facing page.10Chapter 1: Overview

SecurID Software Token Administrator's GuideFile-Based Provisioning (SDTID Files)Authentication Manager and RSA SecurID Authentication Engine (SAE) for Java can generate software token(SDTID) files. RSA strongly recommends protecting SDTID files with a token file password as part of theprovisioning process.To deliver a token, you send an email with an SDTID file attachment to the email client on the user's device.If you password-protect the file, RSA recommends sending the password separately, using a secure channel andbest practices for communicating sensitive data.Compressed Token Format (CTF Strings)Compressed token format (CTF) is an alphanumeric or numeric format for delivering software tokens to mobiledevices.RSA Authentication Manager 8.1 and later generates CTF strings in a legacy numeric format, as described in theRSA Authentication Manager 8.2 Administrator’s Guide. If you require alphanumeric CTF strings, useAuthentication Manager to provision password-protected SDTID files and then convert them using the RSASecurID Software Token Converter 3.1 (Token Converter) command line utility.RSA SecurID Authentication Engine (SAE) for Java administrators obtain CTF strings by exporting the token toan SDTID file. Convert the password-protected SDTID file using the Token Converter 3.1.Note: RSA strongly recommends protecting CTF strings with a password. Set the password on the SDTID filewhen provisioning the token in Authentication Manager. Use the -password option on the Token Convertercommand line.By default, Token Converter 3.1 generates alphanumeric CTF strings appended to a URL. To deliver the CTFstring, you send an email containing the URL to the user’s device. The user taps the URL or enters the link in theapp to import the token, and enters the password to complete the import.To download the Token Converter and documentation, go to re-token-converterApp Transport Security Requirements for Dynamic Seed ProvisioningApple introduced the App Transport Security (ATS) feature in iOS 9. This network encryption and securityfeature requires a server that supports Transport Layer Security (TLS) protocol version 1.2 or later with forwardsecrecy ciphers and certificates that are signed using a SHA-256 or later signature algorithm.RSA Authentication Manager 8.1 Service Pack 1 (SP1) Patch 13 or later with the TLS 1.2 Mode update appliedsupports the required TLS encryption version, but you must ensure that the SSL console certificate used by RSAAuthentication Manager meets the ATS requirements.If the SSL certificate that you use to secure your CT-KIP connections does not use SHA-256 or later, then youmust replace it. The default RSA Authentication Manager SSL console certificates do not meet the ATSrequirement. For instructions on replacing the RSA Authentication Manager SSL console certificate, see the RSAAuthentication Manager Administrator’s Guide.Also ensure that your entire Authentication Manager CT-KIP provisioning infrastructure is ATS compliant. Noncompliant network appliances, such as proxy servers, firewalls, and load balancers, might prevent CT-KIPprovisioning requests from reaching the RSA Authentication Manager CT-KIP server. These non-compliantappliances may require a simple SSL certificate replacement or more complicated firmware upgrades to achievecompliance. Please contact your appliance vendor for further assistance in ensuring that your appliances areATS compliant.Chapter 1: Overview11

SecurID Software Token Administrator's GuideIf you meet these requirements, then iOS apps that are built with the RSA SecurID SDK 2.4 on Xcode 7.3.1 orlater can perform CT-KIP provisioning with RSA Authentication Manager 8.1 Service Pack 1 (SP1) Patch 13 orlater with the TLS 1.2 Mode update applied. Users who have SecurID Software Token installed are not requiredto download any additional updates to ensure iOS 9 or higher compatibility.For more information on ATS, go otes/General/WhatsNewIniOS/A rticles/iOS9.html.Provisioning Software Tokens Using the Security ConsoleRSA Authentication Manager includes the web-based Security Console that allows you to provision anddistribute software tokens. An RSA Authentication Manager Super Admin must create a software token profile.The profile specifies software token configuration and distribution options.If you plan to use several provisioning methods (for example, CT-KIP and CTF), create separate software tokenprofiles for each method so that you do not have to edit the profile to change the distribution method.When you add a software token profile, use the Android 2.x device definition file for Android apps and the iOS2.x device definition file for iOS apps.For more information, see the RSA Authentication Manager Administrator's Guide on the RSA AuthenticationManager Documentation page on RSA Link.Provisioning Software Tokens Using the Self-Service ConsoleRSA Authentication Manager 8.1 or later includes RSA Self-Service. The Self-Service Console provisioningcomponent allows users to request SecurID tokens, including software tokens.For more information, see the Help topic "RSA Self-Service Overview" on the RSA Authentication ManagerDocumentation page on RSA Link.Security Features for Software TokenThe SecurID app includes the security features described in this section.Token Security on the DeviceAfter a token is imported to an Android device, it is protected with a set of system attributes. After a token isimported to an iOS device, it is protected with unique application data that cannot be migrated to anotherdevice.When the app needs to open the token database, it queries the system for the set of attributes and checks themfor validity. If an unauthorized user or malware attempts to copy the token database to another machine ordevice, the user cannot obtain tokencodes or the app appears as not having a token. If the user obtains a newdevice, the software token must be reissued.Next Tokencode RetrievalRSA Authentication Manager and RSA SecurID Authentication Engine can detect when a user provides multipleincorrect one-time passwords (OTPs) in succession. (The default of invalid OTP entries is three.) This situationmay be caused by user error, time drift on the device running the app, or it may indicate that an unauthorizeduser has gained access to the token and is attempting to use it. When this occurs, the authentication serverplaces the token into Next Tokencode mode. The user must enter the next successive code (tokencode orpasscode) to authenticate. Requiring the user to provide the next code helps ensure that the code is beinggenerated by a token in the possession of the authorized owner.12Chapter 1: Overview

SecurID Software Token Administrator's GuideWhen a user's token is in Next Tokencode mode, the user can tap an arrow on the token card in the SecurID appto immediately retrieve the next code without waiting for the next interval.Show or Mask PIN for iOS DevicesBy default, PIN characters are masked as the user enters them. The user can show or mask PIN characters in thenative iOS Settings.Detecting a Jailbroken or Rooted DeviceUsers should not download the SecurID app to a jailbroken or rooted device. The SecurID 3.0 app displays awarning message when a user attempts to do so. A future release will prevent the user from completing thedownload.Software Token ConfigurationRSA strongly recommends using the following for software tokens:lDevice bindinglPassword protection for file-based tokensl(iOS only) Policies for users that require complex passcodes for iOS data protectionDevice BindingWhen provisioning a software token record in Authentication Manager, bind the token by configuring a tokenextension attribute (DeviceSerialNumber). Binding allows installation only on a device or class of devices with amatching device ID.RSA strongly recommends binding all tokens to a device class GUID.Android Device Class GUID (globally unique identifier)By default, software tokens provisioned for Android devices in RSA Authentication Manager 8.x are bound to theAndroid 2.x device class GUID (globally unique identifier). The Android device class GUID allows the user toimport the token to any Android device that is supported by the SecurID app. It prevents the token from beingimported to other types of devices running a SecurID app.The Android device class GUID is:a01c4380-fc01-4df0-b113-7fb98ec74694iOS Device Class GUID (globally unique identifier)Software tokens provisioned for iOS devices in Authentication Manager 8.1 or later are bound to a device classGUID (globally unique identifier), which is generated when the SecurID app is installed. This option allows theuser to import the token to any iOS device that is supported by the SecurID app. It prevents the token frombeing imported to other device platforms or to desktops or laptops running a SecurID app.The iOS device class GUID is556f1985-33dd-442c-9155-3a0e994f21b1Android Device IDA device ID is a unique sequence of 24 letters and numbers assigned to a specific Android device by theSecurID app. A token bound to a device ID cannot be used on any other device.Chapter 1: Overview13

SecurID Software Token Administrator's GuideNote: Uninstalling and reinstalling the SecurID app generates a new device ID. If a user reinstalls the app, youmust obtain the new device ID and update the user’s software token record in your authentication server.You bind tokens to a device ID when configuring the token in Authentication Manager. The user must firstprovide the device ID. After installing the SecurID app, the user can select Device ID on the Welcome screenand choose one of the following options:Email Device ID. This option opens an email that is prepopulated with the device ID. The user enterslthe administrator’s e-mail address in the To: field. Make sure you provide an email address to users sothey can send you the email containing their device ID.Copy Device ID. This option copies the device ID to the device clipboard. Users who have a Self-lService account on Authentication Manager 8.x can access the Self-Service URL through their devicebrowser and paste the device ID into a device binding field when requesting a software token.Instruct users to treat the device ID as sensitive information and to use a secure channel to deliver it to theadministrator. After the user sends the administrator the device ID, the administrator should use a separate,secure channel to communicate the information needed by the SecurID app to complete the provisioningprocess, for example, the CT-KIP URL.Determine Your Device Binding OptionUse the following information to decide which binding option best suits your requirements.BindingOptionAndroid deviceCommentslThe token allows installation only on the device with the specified device ID.lIn an administrator-driven provisioning scenario, requires the administrator to obtainthe device ID from the user before configuring the token record.IDlIn a Self-Service provisioning scenario, the user can obtain the device ID from theSecurID app and enter the device ID when requesting a software token.lThe token can be installed on any Android device.lPrevents ability to import the token to a computer or mobile device other than Android.lAllows administrators to bind all tokens to the same device class.lFor Authentication Manager 8.x, eliminates the need to configure a token extensionAndroid deviceclass GUIDattribute since the device class GUID is the default binding entry.iOS Binding IDA binding ID (called a device ID in previous versions of the Software Token app) is a unique, 24-characterhexadecimal string generated by the SecurID app running on a specific iOS device. A token bound to a bindingID cannot be used by any other app running on the same device or a different device.You bind a token when configuring it in Authentication Manager. The user must first provide you the binding ID,which is generated when the SecuID app is installed. To send the binding ID, the user must have an emailaccount configured on the device.You must provide users with an email address. Instruct users to treat the binding ID as sensitive information andto use a secure channel to deliver it to you.14Chapter 1: Overview

SecurID Software Token Administrator's GuideTo view and email the binding ID, from the Welcome screen or Home screen, the user taps More About.Determine Your Device Binding OptionUse the following information to decide which binding option best suits your requirements.BindingOptionBinding IDiOS deviceCommentslThe token can only be used by the app running on the device with the specified binding ID.lThe administrator must obtain the binding ID from the user before configuring the tokenrecord.lIf using Self-Service, the user can bind the token when requesting a software token.lThe token can be installed on any iOS device.lHelps prevent importing the token to a computer or mobile device other than iOS.lAdministrators can bind all tokens to the same device class.lFor RSA Authentication Manager 8.1 or later, the iOS device class GUID eliminates the needclass GUIDto configure a token extension attribute since the device class GUID is the default bindingentry.Token PasswordsSDTID files and compressed token format (CTF) strings should be protected during transit by assigning a uniquepassword in your provisioning server. The user must enter the password in the Secu

Log on to the Security Console, and click License Status. Click View Installed License. l. The appliance software version. This information is located in the top, right corner of the Quick Setup, or you can log on to the Security Console and click Software Version Information.