RSA SecurID tokens offer RSA SecurID two-factor authentication. An RSA SecurID token is a hardware device or software-based security token that generates a 6-digit or 8-digit pseudorandom number, or tokencode, at regular intervals. When the tokencode is combined with a personal identification number (PIN), the result is called a passcode. Users enter passcode values, along with other security information, to verify their identity to resources protected by Authentication Manager.
Requiring these two factors, the tokencode and the PIN, is known as two-factor authentication:
Something you have (the token)
Something you know (the PIN)
If Authentication Manager validates the passcode, the user is granted access. Otherwise, the user is denied access. (To protect against the use of stolen passcodes, Authentication Manager checks that a passcode has not been used in any previous authentication attempt.)
There are two kinds of SecurID tokens, hardware tokens and software tokens:
- Hardware tokens generate tokencodes using a built-in clock and the token’s factory-encoded random key. Hardware tokens come in several models.
- Software tokens require an application that is specific to the intended device platform, such as a specific operating system on smart phones, computers, or tablets. Users obtains the software token symmetric key by scanning a QR code, importing an email attachment, or through some other approach. The software token applications generate tokencodes on the device and offer the same passcode functionality as hardware tokens.
An administrator can securely download a software token license XML file or receive a secure physical shipment with the required token license information for hardware or software tokens. Importing the token license XML file allows Authentication Manager to generate the correct tokencode when a SecurID authentication request is received from an authentication agent.
Authentication Manager logs the serial numbers of SecurID tokens used to authenticate. By default, Authentication Manager logs the serial number in the clear, but you can mask the serial numbers of tokens when logging to syslog or using SNMP if you want to avoid transmitting and recording the serial number in the clear. RSA recommends masking token serial numbers for added security.
You can assign up to three RSA SecurID tokens to each authorized user on a protected system.
All tokens require similar administrative tasks. Following deployment, you can perform many token-related administrative tasks with the User Dashboard in the Security Console. For more information, see User Dashboard.
For deployments that have an Active Directory identity source, you can also manage hardware and software tokens with the RSA Token Management snap-in for the Microsoft Management Console (MMC). The RSA Token Management snap-in extends the context menus, property pages, control bars, and toolbars in the Active Directory Users and Computers snap-in. RSA SecurID Access Authenticator Tokencodes are not managed by the RSA Token Management snap-in.
By default, RSA provides hardware and software tokens that require a PIN and strongly recommends that you use PINs for all tokens. PINs provide the second factor in RSA SecurID two-factor authentication. RSA Authentication Manager also supports authentication with tokens that do not require an RSA SecurID PIN. The user can authenticate with the current tokencode only. In such a case, an alternative second factor, for example, a user’s network password, is used.