# MFA with RSA ID Plus RSA ID Plus is available as a multi-factor authentication (MFA) option for your StrongDM users. This guide describes how to set up and configure MFA using RSA ID Plus. ### Prerequisites * StrongDM Administrator account * Administrator access to your organization's RSA Cloud Authentication Service * RSA Authenticator app installed on a device that you can access and enrolled with your RSA organization. Note that the user must enroll at least one of the following: RSA Authenticator app or RSA SecurID Hardware Token. The enrollment link can be found in the Cloud Authentication Service at **Access** > **My Page**. The format is `https://.auth.securid.com/mypage`. ### Configure RSA Cloud Authentication Service The first part of the setup process takes place in the RSA ID Plus platform. Perform the following steps to configure the RSA Cloud Authentication Service. 1. Log in as an administrator to the RSA Cloud Authentication Service at `https://.access.securid.com/`. 2. Go to **My Account** > **Company Settings** > **Sessions & Authentication**. 1. In the **Code Matching Configuration** section, ensure that the slider called **Strict code matching enforcement** is set to `Disabled`. 2. In the **Hardware Authenticator** section, ensure that **Allow alphanumeric characters in hardware authenticator PINs** is not selected. 3. Go to **Platform** > **API Access Management**. 1. Under **Administration API Keys**, create your API key. 2. Download the key file. 3. Under **Authentication API Keys**, create the API key. 4. Copy the **SecurID Authentication API REST URL** value and the created API key for use in the next step. RSA ID Plus setup is now complete. Keep this browser window open in case you need to recopy the URL or API key when setting up RSA ID Plus as an MFA provider in StrongDM in the next section. ### Set up the MFA Provider in StrongDM The setup continues in the StrongDM Admin UI. 1. Go to **Settings** > **Security**. 2. In the **Multi-factor Authentication** section, click the lock to make changes to the fields. 3. For **Enforce Multi-Factor Authentication?**, select **Yes**. 4. For **Provider**, select **RSA ID Plus**. 5. For **Authentication API URL**, enter the SecurID Authentication API REST URL copied from from the RSA configuration (for example, `https://.auth.securid.com:443`). 6. For **Authentication API Key**, enter the authentication API key copied from the RSA configuration. 7. For **Administration API Key**, enter the full JSON copied from downloaded administration API key file. {% hint style="info" %} Regarding the following options for push notifications and TOTP, the admin setting up MFA must select at least one option. If more than one option is selected, the user will choose one of them during MFA verification. {% endhint %} 8. Select **Software Token** if you want to require the user to enter an 8-digit passcode from the RSA Authenticator app. 9. Select the checkbox for **Push notification** to enable users to be challenged by a push notification to their mobile device. 10. For **Disable biometrics**, select the checkbox if you don't need users to use biometrics to verify their identity. When selected, users are only required to tap the **approve** or **reject** buttons in the push notification. If you want to require users to use biometrics to verify, leave the box unchecked. 11. Select **Hardware Token** if you want to require the user to enter their PIN followed by a 6-digit passcode displayed on the RSA SecurID Hardware Token. 12. Click **Test** to test the MFA settings. This requires the email address of your currently logged-in user to be registered as a user in RSA and have a device enrolled in RSA My Page. You can run a test and reject the login using the RSA Authenticator app or RSA SecurID Hardware Token, and run it again and approve it this time, if you want to test both outcomes. 13. Once you are satisfied with your settings, click **Save** to enable RSA ID Plus MFA. This displays a warning message that users cannot log in without MFA enrollment going forward. {% hint style="warning" %} Ensure that the test works correctly before activating MFA or your admin account may become locked out! {% endhint %} ### Log in With RSA ID Plus Enabled Once RSA ID Plus is enabled, the login process for a user consists of entering their username and password on the StrongDM Admin UI, desktop app, or CLI and then responding to one of the following options, depending on your configuration: * If you configured push notifications only, the user sees the "Waiting for MFA..." message immediately. This message displays until the challenge is accepted on the user's device. * If you configured only the Software Token or Hardware Token, the user is prompted to submit a passcode. * If you configured push notifications and the Software Token and/or Hardware Token, the user is prompted to submit a passcode or tap a button to trigger a push notification. Then the "Waiting for MFA..." message appears and is displayed until the challenge is accepted on the user's device. ### Troubleshoot MFA With RSA ID Plus You may run into issues authenticating your StrongDM account with RSA ID Plus MFA enabled. The following topics can help you troubleshoot any errors you receive while logging in. #### MFA alongside SSO When you set up an SSO provider to authenticate with StrongDM and also enable MFA in the Admin UI, MFA prompts during logins do not occur. In this scenario, your configured MFA only plays a role to re-authenticate users when the desktop app locks due to inactivity, not during normal login attempts. If using SSO, we recommend setting up MFA through your SSO provider to also trigger MFA prompts during user logins. #### New device setup or reset If you get a new mobile device or have to reset your existing device, you may be unable to log in to your applications using RSA ID Plus on the new device. If this situation occurs, use [RSA My Page](https://github.com/strongdm/docs/blob/main/gitbook-content/admin/principals/mfa/https:/\[ORGANIZATION].auth.securid.com/mypage/README.md) to enroll the new device, and contact your organization's RSA administrator to provision your device. {% hint style="warning" %} StrongDM is unable to assist with enrolling individual end-user devices for MFA. {% endhint %} #### RSA SecurID Hardware Token locked If you cannot pass MFA, it can be that the device is locked. This might happen when too many failed MFA challenge attempts have occurred. You can check RSA My Page to see if the device is locked or not. If the device is locked, please contact an administrator who can unlock the device in the RSA Cloud Authentication Service. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/principals/mfa/mfa-rsa-id-plus.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.