Multi-Factor Authentication - RSA ID Plus

Last modified on July 21, 2025

RSA ID Plus is available as a multi-factor authentication (MFA) option for your StrongDM users. This guide describes how to set up and configure MFA using RSA ID Plus.

Prerequisites

  • StrongDM Administrator account
  • Administrator access to your organization’s RSA Cloud Authentication Service
  • RSA Authenticator app installed on a device that you can access and enrolled with your RSA organization. Note that the user must enroll at least one of the following: RSA Authenticator app or RSA SecurID Hardware Token. The enrollment link can be found in the Cloud Authentication Service at Access > My Page. The format is https://<ORGANIZATION>.auth.securid.com/mypage.

Configure RSA Cloud Authentication Service

The first part of the setup process takes place in the RSA ID Plus platform. Perform the following steps to configure the RSA Cloud Authentication Service.

  1. Log in as an administrator to the RSA Cloud Authentication Service at https://<ORGANIZATION>.access.securid.com/.
  2. Go to My Account > Company Settings > Sessions & Authentication.
    1. In the Code Matching Configuration section, ensure that the slider called Strict code matching enforcement is set to Disabled.
    2. In the Hardware Authenticator section, ensure that Allow alphanumeric characters in hardware authenticator PINs is not selected.
  3. Go to My Account > Company Settings > Authentication API Keys.
    1. Create your API key.
    2. Copy the SecurID Authentication API REST URL value and the created API key for use in the next step.

RSA ID Plus setup is now complete. Keep this browser window open in case you need to recopy the URL or API key when setting up RSA ID Plus as an MFA provider in StrongDM in the next section.

Set up the MFA Provider in StrongDM

The setup continues in the StrongDM Admin UI.

  1. Go to Settings > Security.

  2. In the Multi-factor Authentication section, click the lock to make changes to the fields.

  3. For Enforce Multi-Factor Authentication?, select Yes.

  4. For Provider, select RSA ID Plus.

  5. For Authentication API URL, enter the SecurID Authentication API REST URL copied from from the RSA configuration (for example, https://<ORGANIZATION>.auth.securid.com:443).

  6. For Authentication API Key, enter the API Key created from the RSA configuration.

  7. Select Software Token if you want to require the user to enter an 8-digit passcode from the RSA Authenticator app.

  8. Select the checkbox for Push notification to enable users to be challenged by a push notification to their mobile device.

  9. For Disable biometrics, select the checkbox if you don’t need users to use biometrics to verify their identity. When selected, users are only required to tap the approve or reject buttons in the push notification. If you want to require users to use biometrics to verify, leave the box unchecked.

  10. Select Hardware Token if you want to require the user to enter their PIN followed by a 6-digit passcode displayed on the RSA SecurID Hardware Token.

  11. Click Test to test the MFA settings. This requires the email address of your currently logged-in user to be registered as a user in RSA and have a device enrolled in RSA My Page. You can run a test and reject the login using the RSA Authenticator app or RSA SecurID Hardware Token, and run it again and approve it this time, if you want to test both outcomes.

  12. Once you are satisfied with your settings, click Save to enable RSA ID Plus MFA. This displays a warning message that users cannot log in without MFA enrollment going forward.

Log in With RSA ID Plus Enabled

Once RSA ID Plus is enabled, the login process for a user consists of entering their username and password on the StrongDM Admin UI, desktop app, or CLI and then responding to one of the following options, depending on your configuration:

  • If you configured push notifications only, the user sees the “Waiting for MFA…” message immediately. This message displays until the challenge is accepted on the user’s device.
  • If you configured only the Software Token or Hardware Token, the user is prompted to submit a passcode.
  • If you configured push notifications and the Software Token and/or Hardware Token, the user is prompted to submit a passcode or tap a button to trigger a push notification. Then the “Waiting for MFA…” message appears and is displayed until the challenge is accepted on the user’s device.

Troubleshoot MFA With RSA ID Plus

You may run into issues authenticating your StrongDM account with RSA ID Plus MFA enabled. The following topics can help you troubleshoot any errors you receive while logging in.

MFA alongside SSO

When you set up an SSO provider to authenticate with StrongDM and also enable MFA in the Admin UI, MFA prompts during logins do not occur. In this scenario, your configured MFA only plays a role to re-authenticate users when the desktop app locks due to inactivity, not during normal login attempts.

If using SSO, we recommend setting up MFA through your SSO provider to also trigger MFA prompts during user logins.

New device setup or reset

If you get a new mobile device or have to reset your existing device, you may be unable to log in to your applications using RSA ID Plus on the new device. If this situation occurs, use RSA My Page to enroll the new device, and contact your organization’s RSA administrator to provision your device.

RSA SecurID Hardware Token locked

If you cannot pass MFA, it can be that the device is locked. This might happen when too many failed MFA challenge attempts have occurred. You can check RSA My Page to see if the device is locked or not. If the device is locked, please contact an administrator who can unlock the device in the RSA Cloud Authentication Service.

Top