Troubleshooting guide

20 1: Important RSA Authentication Manager 8.1 Changes
RSA Authentication Manager 6.1 to 8.1 Migration Guide
Risk-Based Authentication
Risk-based authentication (RBA) identifies potentially risky or fraudulent
authentication attempts by silently analyzing user behavior and the device of origin.
RBA strengthens RSA SecurID authentication and traditional password-based
authentication. If the assessed risk is unacceptable, the user is challenged to further
confirm his or her identity by using one of the following methods:
On-demand authentication (ODA). The user must correctly enter a PIN and a
one-time tokencode that is sent to a preconfigured mobile phone number or e-mail
account.
Security questions. The user must correctly answer one or more security
questions. Correct answers to questions can be configured on the Self-Service
Console or during authentication when silent collection is enabled.
RSA Authentication Manager contains a risk engine that intelligently accumulates
and assesses knowledge about each users device and behavior over time. When the
user attempts to authenticate, the risk engine refers to the collected data to evaluate the
risk. The risk engine then assigns an assurance level such as high, medium, or low to
the user's authentication attempt. RBA compares this to the minimum acceptable level
of assurance that you have configured. If the risk level is higher than the minimum
assurance level, the user is prompted to confirm his or her identity by answering
security questions or using ODA.
Web Tier
A web tier is a lightweight application server that hosts several Authentication
Manager services securely in the network DMZ. Services such as risk-based
authentication (RBA), the Cryptographic Token Key Initialization Protocol (CT-KIP)
for the dynamic provisioning of software tokens, and the Self-Service Console may be
required by users outside of your corporate network. If your network has a DMZ, you
can use a web tier to deploy these services in the DMZ.
A web tier in your DMZ offers the following benefits:
Protects your internal network from any unfiltered internet traffic from the
Self-Service Console, the CT-KIP server and RBA users. Web-tier servers receive
and manage inbound internet traffic before it enters your private network.
Allows you to customize the RBA service and web-based application user
interface.
Improves system performance by removing some processing tasks from the
back-end server.
The primary and replica instances are inside a firewall in your private network.