RSA Adds SecurID Two-Factor Authentication to Microsoft Azure Cloud

Microsoft Active Directory Federation Services now supports RSA SecurID token authentication to secure Office 365 applications, Microsoft Exchange, and Azure Cloud.

Organizations can now use their SecurID two-factor authentication deployments to secure cloud applications running on Microsoft Windows Active Directory Federation Services (ADFS), RSA Security said.

Users will be able to add multi-factor authentication into Office 365 applications, including Microsoft Exchange and Microsoft Azure, and still use Active Directory roles to control authentication for both on-premise applications and cloud systems, EMC-subsidiary RSA Security said Nov. 7.

ADFS allows customers to use their Active Directory roles in the cloud to achieve single sign capabilities for corporate networks and the cloud. The fact that ADFS now supports two-factor authentication out of the box adds another level of centralized authentication and authorization to the environment, according to RSA Security.

RSA's SecurID token generates a one-time-password every 30 seconds to two minutes. On systems that have SecurID enabled, users have to first enter their username and password, and then the generated one-time-password to gain access. This integration would allow Azure developers to build applications that use SecurID to handle authentication.

Organizations can use the hardware token that's already deployed in the enterprise, Karen Kiffney, a senior product marketing manager at RSA, told eWEEK.

This isn't the first time RSA partnered up with Microsoft. The two companies have teamed up in the past to protect data loss prevention tools and data classification service.

RSA is trying to convince customers to stick with SecurID even after the data breach that damaged two-factor authentication technology's reputation earlier this year. Unknown attackers managed to breach RSA's corporate networks using a combination of malware, zero-day vulnerabilities and social engineering to steal information related to SecurID. There are over 40 million people in at least 30,000 organizations worldwise using the technology.

As a result of the attack on RSA, IT security professionals were considering moving away from hardware-based two-factor authentication tokens such as SecurID toward risk-based authentication and software-based tokens, Andras Cser, a principal analyst with Forrester Research wrote in a research note.

The fact that Microsoft chose RSA to protect its cloud environment with SecurID was validation that the company has moved beyond the incident, a RSA spokesperson said. The company has offered to replace tokens, made some changes to its manufacturing process, and the breach was a "one time event," Kiffney said.

Customers are more curious about what RSA learned as a result of the breach, and what tactics they should be using, Phil Aldrich, RSA's senior product marketing manager, told eWEEK. "Customers see that we detected and stopped the attack as it was happening and want to know how to do that," Aldrich said.

The integration is available for no extra fee for all SecurID users and there's no additional work needed to get this to work. "It just will work out of the box," Kiffney said. If the customer is already a SecurID customer, then they know it's going to work with everything, regardless of whether it's in the cloud in Azure, or on-premise.

RSA made a similar announcement for Citrix Receiver. Organizations were using Citrix Receiver in a virtual application delivery environment and protecting the session with usernames and passwords. Citrix Receiver can be used with Windows, Mac and Linux desktops and laptops, think clients, and mobile devices running Apple iOS, Google Android, or Research in Motion phones, according to RSA.

In the past, organizations who wanted to use SecurID on Citrix Receiver would have to switch to the software token app on the mobile device to obtain the one-time password. Now the software is part of a software developer kit (SDK) that allows the application that called the software token to obtain the passcode in the background automatically.

This capability is available in Citrix Receiver, Juniper JUNOS Pulse and VMware View, RSA said. In order to prevent Citrix session hijacking, the authentication technology is now built into the receiver.

"Hackers have to jump through much bigger hoops to abuse an identity and get to data since that data doesn't exist by default on the device itself," Sam Curry, CTO of RSA Security, wrote on the blog.