← Back to Recipes

How to enable a multiple MFA selector

Replace legacy RSA SecurID with YubiKey passwordless authentication.

Read the docsTry this in Maverics
  • Replace outdated VPN-centric MFA tokens and adopt modern FIDO2 authentication without custom code
  • Enroll users in YubiKey protection without any interruption to existing access workflows
  • Enable modern authentication protection for any on-prem or cloud app
Ingredients
Identity Continuity MFA RSA SecurID YubiKey

Leave a real legacy by modernizing authentication architecture

The recipe diagram

A simple user journey that simply works.

The sequence diagram

How everything comes together to authenticate.

What the user sees

  • Your user will navigate to the existing protected app through their standard access workflow.

  • The user will then either sign in with their app-level credentials or your SSO provider will be leveraged to ensure that the user has the appropriate active group membership for accessing the application.

  • The RSA SecurID step-up authentication process will be followed one last time, asking the user to enter their RSA Keychain Code.

  • A new one-time registration screen will be displayed informing the user they are being registered for YubiKey authentication, and ask for the appropriate user information.

  • Your user will be instructed to enter their known YubiKey PIN and touch the inserted YubiKey dongle to complete the registration.

  • The user will then have access to the protected application as expected.

  • All future user access to this particular app will then bypass the SecurID workflow and follow the new YubiKey authentication steps instead.

What the admin does

  • This recipe demonstrates how to replace your legacy RSA SecurID MFA on critical business apps without any interruption to your users’ access experience or needing to rewrite any code.
  • The traditional method for cutting over from a legacy 2FA solution to modern authentication like YubiKey required permanent rewrites for each protected app, and resulted in an “all or none” first-time access experience.
  • The Maverics Identity Orchestration Platform allows you to phase the deployment of your new YubiKey FIDO2 passwordless security investment for specific groups of users at a time, running both YubiKey and SecurID concurrently until testing is complete and you can retire your RSA solution.
  • Best of all, Maverics minimizes the disruption in the existing authentication workflow that your users have come to expect over the years and no permanent code changes are needed for your protected applications to make the switch.

See it in action

Keep mission critical apps on with Identity Continuity

Interested to see more? We have a full workshop for you!

Watch now

Solve more modernization challenges with ready-to-deploy recipes

Identity Continuity
Active Directory (AD)
Okta
Failover from Okta to on-prem Active Directory (AD)

Keep your critical apps accessible. Use Identity Continuity to allow key users to securely authenticate locally with Keycloak if Microsoft Entra ID ever becomes unavailable.

Identity Continuity
Okta
Entra ID (Azure AD)
Failover from Okta to Microsoft Entra ID

Don’t let Okta take you offline. Use Identity Continuity to allow users to securely authenticate to critical apps with Microsoft Entra ID anytime Okta is unavailable.

Identity Continuity
Keycloak
Entra ID (Azure AD)
Failover from Microsoft Entra ID to on-prem Keycloak

Keep your critical apps accessible. Use Identity Continuity to allow key users to securely authenticate locally with Keycloak if Microsoft Entra ID ever becomes unavailable.

View all recipes

Ready to cook up your perfect identity modernization solution?

Stop juggling disparate identity services. Unleash the power of Strata’s orchestration recipes.
Whether you’re dealing with legacy app modernization or controlling multi-cloud access, Orchestration Recipes have got you covered.

Read the docsTry this in Maverics