RSA SecurID Tokens

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Feb 12, 2018
Version 3Show Document
  • View in full screen mode

RSA SecurID tokens offer RSA SecurID two-factor authentication. An RSA SecurID token is a hardware device or software-based security token that generates a 6-digit or 8-digit pseudorandom number, or tokencode, at regular intervals. When the tokencode is combined with a personal identification number (PIN), the result is called a passcode. Users enter passcode values, along with other security information, to verify their identity to resources protected by Authentication Manager.

Requiring these two factors, the tokencode and the PIN, is known as two-factor authentication:

  • Something you have (the token)

  • Something you know (the PIN)

If Authentication Manager validates the passcode, the user is granted access. Otherwise, the user is denied access. (To protect against the use of stolen passcodes, Authentication Manager checks that a passcode has not been used in any previous authentication attempt.)

There are two kinds of SecurID tokens, hardware tokens and software tokens:

  • Hardware tokens generate tokencodes using a built-in clock and the token’s factory-encoded random key, known as the “seed.” Hardware tokens come in several models, such as key fobs and PINPads.
  • Software tokens consist of two components that are installed separately, an application specific to the intended device platform and a token seed record. Software token applications generate tokencodes on the device and offer the same passcode functionality as hardware tokens. Devices include smart phones, computers, and tablets.

Each shipment of tokens includes token seed records that you must import into Authentication Manager. Each token seed record corresponds to an individual RSA SecurID token, and is used by Authentication Manager to generate the correct tokencode when a SecurID authentication request is received from an authentication agent.

Authentication Manager logs the serial numbers of SecurID tokens used to authenticate. By default, Authentication Manager logs the serial number in the clear, but you can mask the serial numbers of tokens when logging to syslog or using SNMP if you want to avoid transmitting and recording the serial number in the clear. RSA recommends masking token serial numbers for added security.

You can assign up to three RSA SecurID tokens to each authorized user on a protected system.

All tokens require similar administrative tasks. Following deployment, you can perform many token-related administrative tasks with the User Dashboard in the Security Console. For more information, see User Dashboard.

For deployments that have an Active Directory identity source, you can also manage hardware and software tokens with the RSA Token Management snap-in for the Microsoft Management Console (MMC). The RSA Token Management snap-in extends the context menus, property pages, control bars, and toolbars in the Active Directory Users and Computers snap-in. RSA SecurID Access Authenticator Tokencodes are not managed by the RSA Token Management snap-in.

By default, RSA provides hardware and software tokens that require a PIN and strongly recommends that you use PINs for all tokens. PINs provide the second factor in RSA SecurID two-factor authentication. RSA Authentication Manager also supports authentication with tokens that do not require an RSA SecurID PIN. The user can authenticate with the current tokencode only. In such a case, an alternative second factor, for example, a user’s network password, is used.