Azure AD
Target App

Multiple MFA Selector

Replacing legacy RSA SecurID with YubiKey passwordless authentication. Use this recipe to:

Replace outdated VPN-centric MFA tokens and adopt modern FIDO2 authentication without custom code

Enroll users in YubiKey protection without any interruption to existing access workflows

Enable modern authentication protection for any on-prem or cloud app

Recipe summary: Multiple MFA Selector

This recipe demonstrates how to replace your legacy RSA SecurID MFA on critical business apps without any interruption to your users’ access experience or needing to rewrite any code. The traditional method for cutting over from a legacy 2FA solution to modern authentication like YubiKey required permanent rewrites for each protected app, and resulted in an “all or none” first-time access experience. The Maverics Identity Orchestration Platform allows you to phase the deployment of your new YubiKey FIDO2 passwordless security investment for specific groups of users at a time, running both YubiKey and SecurID concurrently until testing is complete and you can retire your RSA solution. Best of all, Maverics minimizes the disruption in the existing authentication workflow that your users have come to expect over the years and no permanent code changes are needed for your protected applications to make the switch.

Recipe instructions: Multiple MFA Selector

  1. 1

    Your user will navigate to the existing protected app through their standard access workflow.

  2. 2

    The user will then either sign in with their app-level credentials or your SSO provider will be leveraged to ensure that the user has the appropriate active group membership for accessing the application.

  3. 3

    The RSA SecurID step-up authentication process will be followed one last time, asking the user to enter their RSA Keychain Code.

  4. 4

    A new one-time registration screen will be displayed informing the user they are being registered for YubiKey authentication, and ask for the appropriate user information.

  5. 5

    Your user will be instructed to enter their known YubiKey PIN and touch the inserted YubiKey dongle to complete the registration.

  6. 6

    The user will then have access to the protected application as expected.

  7. 7

    All future user access to this particular app will then bypass the SecurID workflow and follow the new YubiKey authentication steps instead.

View recipe in action: Multiple MFA Selector

Recipe sequence diagram: Multiple MFA Selector

Recipe YAML config settings: Multiple MFA Selector

Maverics Identity Orchestration works with a simple YAML config* (as shown in the figure to the right). No app rewrites or custom code is required. Download this recipe’s full config file below.

*Config may vary based on your environment.