Forefront Unified Access Gateway (UAG) supports the RSA SecurID authentication scheme. This scheme authenticates the user on an RSA ACE/Server. When challenged, the user enters a password that is a combination of two numbers: a personal identification number (PIN), supplied by RSA, and a token code, which is the number displayed on the RSA SecurID authenticator.

The RSA SecurID scheme also supports two additional challenge-response modes: Next Token and New PIN, as described below.

Next Token mode

Next Token mode is applied in cases where the authentication process requires additional verification of the token code. The user is challenged to enter the next token code; that is, to wait for the number that is displayed on the authenticator to change, and enter the new number (without the PIN).

New PIN mode

New PIN mode is applied in cases where the authentication process requires additional verification of the PIN. In this case, the user must use a new PIN. Depending on the configuration of the RSA ACE/Server, the user is prompted to select and enter a new PIN, or the server supplies the user with a new PIN. The user then reauthenticates with the new PIN.

The use of the New PIN mode is optional and can be enabled or disabled in both the authentication server and the Forefront UAG Management console. If the settings are not the same, the Forefront UAG Management console takes precedence over the authentication server settings.

Note:
For security considerations, it is recommended that you do not enable the New PIN mode.

RSA SecurID authentication flow

The following figure illustrates the authentication process users pass through when the RSA SecurID scheme is implemented.

Note:
The flow includes both Next Token and New PIN modes, which are only applicable under the conditions described above.The flow allows for three login attempts, after which login failure is final. The actual number of login attempts users are allowed is configurable.

RSA SecurID Authentication Flow