SecurID Tokens

RSA SecurID tokens offer RSA SecurID two-factor authentication. An RSA SecurID token is a hardware device or software-based security token that generates a 6-digit or 8-digit pseudorandom number, or tokencode, at regular intervals. When the tokencode is combined with a personal identification number (PIN), the result is called a passcode. Users enter passcode values, along with other security information, to verify their identity to resources protected by AM.

Requiring these two factors, the tokencode and the PIN, is known as two-factor authentication:

• Something you have (the token)

• Something you know (the PIN)

If AM validates the passcode, the user is granted access. Otherwise, the user is denied access. (To protect against the use of stolen passcodes, Authentication Manager checks that a passcode has not been used in any previous authentication attempt.)

There are two kinds of SecurID tokens, hardware tokens and software tokens:

• Hardware tokens generate tokencodes using a built-in clock and the token’s factory-encoded random key. Hardware tokens come in several models.
• Software tokens require an application that is specific to the intended device platform, such as a specific operating system on smart phones, computers, or tablets. Users obtains the software token symmetric key by scanning a QR code, importing an email attachment, or through some other approach. The software token applications generate tokencodes on the device and offer the same passcode functionality as hardware tokens.

An administrator can securely download a software token license XML file or receive a secure physical shipment with the required token license information for hardware or software tokens. Importing the token license XML file allows AM to generate the correct tokencode when a SecurID authentication request is received from an authentication agent.

AM logs the serial numbers of SecurID tokens used to authenticate. By default, AM logs the serial number in the clear, but you can mask the serial numbers of tokens when logging to syslog or using SNMP if you want to avoid transmitting and recording the serial number in the clear. RSA recommends masking token serial numbers for added security.

You can assign up to three RSA SecurID tokens to each authorized user on a protected system.

All tokens require similar administrative tasks. Following deployment, you can perform many token-related administrative tasks with the User Dashboard in the Security Console. For more information, see User Dashboard.

For deploymentsthat have an Active Directory identity source, you can also manage hardware and software tokens with the RSA Token Management snap-infor the Microsoft Management Console (MMC). The RSA Token Management snap-in extends the context menus, property pages, control bars, and toolbars in the Active Directory Users and Computers snap-in. RSA Authenticator Tokencodes are not managed by the RSA Token Management snap-in.

By default, RSA provides hardware and software tokens that require a PIN and strongly recommends that you use PINs for all tokens. PINs provide the second factor in RSA SecurID two-factor authentication. RSA Authentication Manager also supports authentication with tokens that do not require an RSA SecurID PIN. The user can authenticate with the current tokencode only. In such a case, an alternative second factor, for example, a user’s network password, is used.

RSA SecurID Hardware Tokens

The SecurID 700 Authenticator easily connects to any key ring. The user simply reads the changing display (typically every 60 seconds) and uses it as part of a dynamic and always-changing password.

You can use this token with AM or Cloud Authentication Service (CAS). This hardware token generates and displays a new tokencode at a predefined time interval, typically every 60 seconds.

When Cloud Authentication Service is integrated with AM, users with RSA SecurID tokens can access SaaS and on-premises web applications and RADIUS clients protected by CAS. For more information, see Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Access Service..

To protect cloud-based resources when AM is not deployed, you can assign SecurID700  hardware tokens to Cloud Authentication Service users and manage the tokens in the Cloud Administration Console. If you have a Cloud-only deployment and you want to enable hardware token, contact your RSA Sales representative or Channel Partner.

The following hardware tokens are no longer sold by RSA:

• RSA SecurID 800 Hybrid Authenticator

  The RSA SecurID Authenticator SecurID 800 is both an RSA SecurID authenticator and a USB smart card (USB token) with a built-in reader.

• RSA SecurID 520 Authenticator

  With this device, the user enters the PIN on a numeric keypad to display the passcode.

• RSA SecurID 200 Authenticator

RSA SecurID Software Tokens

RSA SecurID tokens are available in a software form-factor that you can install on an RSA Authenticator app on various devices.

The RSA Authentication Manager provides a centralized administration interface for issuing RSA SecurID software tokens to the supported device types. You can add information to software tokens such as device type, device serial number, or token nickname using token extension fields.