SecurID

From Wikipedia, the free encyclopedia

RSA SecurID token

RSA SecurID tokens (older style)

RSA SecurID is a mechanism developed by RSA Security for performing two-factor authentication to a user to a network resource.

The RSA SecurID authentication mechanism consists of a "token"—a piece of hardware (e.g. a token or USB) or software (e.g. a "soft token" for a PDA or cell phone) assigned to a computer user that generates an authentication code every sixty seconds using a built-in clock and the card's factory-encoded random key (known as the "seed" and often provided as a *.asc file). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased. The seed is typically 128 bits long. Some RSA SecurID deployments may use varied second rotations, such as 30-second increments.

The token hardware is designed to be tamper-resistant to deter reverse engineering of the token. There have been 15 years of no reported breaches. Despite this, public code has been developed by the security community allowing a user to emulate RSA SecurID in software, but only if they have access to a current RSA SecurID code, and the original RSA SecurID seed file introduced to the server.

A user authenticating to a network resource—say, a dial-in server or a firewall—needs to enter both a personal identification number and the number being displayed at that moment on their RSA SecurID token. Some systems using RSA SecurID disregard PIN implementation altogether, and rely on password/RSA SecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access.

On systems implementing PINs, a "duress PIN" may be used—an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication.

While the RSA SecurID system adds a strong layer of security to a network, difficulty can occur if the authentication server's clock becomes out of sync with the clock built in to the authentication tokens. However, typically the RSA Authentication Manager automatically corrects for this without affecting the user. It is also possible to manually resync a token in the RSA Authentication Manager. Also, providing authentication tokens to everyone who might need to access a network resource can potentially be expensive, particularly as the tokens are programmed to "expire" at a fixed time, usually three years, requiring purchase of a new token.

RSA SecurID currently commands over 70% of the two-factor authentication market (source: IDC) and 25 million devices have been produced to date. RSA Security has pushed forth an initiative they call "Ubiquitous Authentication", partnering with device manufacturers such as SanDisk, Motorola, Freescale Semiconductor, Redcannon, Broadcom and Blackberry to embed the SecurID software into everyday devices such as memory sticks and cell phones, in order to reduce both cost and the number of objects the user has to carry around.

Other network authentication systems, such as S/Key (sometimes known as OTP, as S/Key is a trademark of Bellcore,) attempt to provide the "something you have" level of authentication without requiring a hardware token.