by additional electronic leash or body sensor and alarm. All further consideration presumes loss prevention, e.g. Such vulnerability cannot be healed with any single token container device within the preset time span of activation.
The simplest practical vulnerability with any password container is losing the special key device or the activated smart phone with the integrated key function. This is significant, since it is the principal threat most users believe they are solving with this technology. Token codes are easily stolen, because no mutual-authentication exists (anything that can steal a password can also steal a token code).
RSA Security has pushed forth an initiative called "Ubiquitous Authentication", partnering with device manufacturers such as IronKey, SanDisk, Motorola, Freescale Semiconductor, Redcannon, Broadcom, and BlackBerry to embed the SecurID software into everyday devices such as USB flash drives and cell phones, to reduce cost and the number of objects that the user must carry. The drift can be done on individual tokens or in bulk using a command line utility. If the server clock had drifted and the administrator made a change to the system clock, the tokens can either be resynchronized one-by-one, or the stored drift values adjusted manually. If the out of sync condition is not a result of normal hardware token clock drift, correcting the synchronization of the Authentication Manager server clock with the out of sync token (or tokens) can be accomplished in several different ways. Normal token clock drift is accounted for automatically by the server by adjusting a stored "drift" value over time. While the RSA SecurID system adds a layer of security to a network, difficulty can occur if the authentication server's clock becomes out of sync with the clock built into the authentication tokens. The "duress PIN" feature has been deprecated and is not available on currently supported versions. Using the duress PIN would allow one successful authentication, after which the token will automatically be disabled.
On older versions of SecurID, a "duress PIN" may be used-an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication. The server, which also has a real-time clock and a database of valid cards with the associated seed records, authenticates a user by computing what number the token is supposed to be showing at that moment in time and checking this against what the user entered. Though increasingly rare, some systems using RSA SecurID disregard PIN implementation altogether, and rely on password/RSA SecurID code combinations. Ī user authenticating to a network resource-say, a dial-in server or a firewall-needs to enter both a personal identification number and the number being displayed at that moment on their RSA SecurID token. Newer versions also feature a USB connector, which allows the token to be used as a smart card-like device for securely storing certificates. In the RSA SecurID authentication scheme, the seed record is the secret key used to generate one-time passwords. Later, the 128-bit RSA SecurID algorithm was published as part of an open source library. When software implementations of the same algorithm ("software tokens") appeared on the market, public code had been developed by the security community allowing a user to emulate RSA SecurID in software, but only if they have access to a current RSA SecurID code, and the original 64-bit RSA SecurID seed file introduced to the server. The token hardware is designed to be tamper-resistant to deter reverse engineering. On-demand tokens are also available, which provide a tokencode via email or SMS delivery, eliminating the need to provision a token to the user. The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server ) as the tokens are purchased. a key fob) or software (a soft token)-which is assigned to a computer user and which creates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded almost random key (known as the "seed"). The RSA SecurID authentication mechanism consists of a " token"-either hardware (e.g. RSA SecurID (new style, SID800 model with smartcard functionality)