RSA SecurID Authentication Process

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

The RSA SecurID authentication process involves the interaction of three distinct products:

  • RSA SecurID authenticators, also known as tokens, which generate one-time authentication credentials for a user.

  • RSA Authentication Agents, which are installed on client devices and send authentication requests to the Authentication Manager.

  • RSA Authentication Manager, which processes the authentication requests and allows or denies access based on the validity of the authentication credentials sent from the authentication agent.

To authenticate a user with SecurID, Authentication Manager needs, at a minimum, the following information:

                           
ElementInformation
User recordContains a User ID and other personal information about the user (for example, first name, last name, group associations, if any). The user record can come from either an LDAP directory server or the Authentication Manager internal database.
Agent recordLists the name of the machine where the agent is installed. This record in the internal database identifies the agent to Authentication Manager and enables Authentication Manager to respond to authentication requests from the agent.
Token recordEnables Authentication Manager to generate the same tokencode that appears on a user’s RSA SecurID token.
SecurID PIN

Used with the tokencode to form the passcode.

The Role of RSA Authentication Manager in SecurID Authentication

RSA Authentication Manager software, authentication agents, and RSA SecurID tokens work together to authenticate user identity. RSA SecurID patented time synchronization ensures that the tokencode displayed by a user’s token is the same code that the RSA Authentication Manager software has generated for that moment. Both the token and the Authentication Manager generate the tokencode based on the following:

  • The token’s unique identifier (also called a “seed”).

  • The current time according to the token’s internal clock, and the time set for the Authentication Manager system.

To determine whether an authentication attempt is valid, the RSA Authentication Manager compares the tokencode it generates with the tokencode the user enters. If the tokencodes do not match or if the wrong PIN is entered, the user is denied access.

RSA SecurID Authentication Examples

Authentication Manager software is scalable and can authenticate large numbers of users. It is interoperable with network, remote access, wireless, VPN, Internet, and application products. The following table describes key examples.

                                   

Product or Application

Description

VPN Access

RSA SecurID provides secure authentication when used in combination with a VPN.

Remote dial-in

RSA SecurID operates with remote dial-in servers, such as RADIUS.

Web access

RSA SecurID protects access to web pages.

Wireless Networking

Authentication Manager includes an 802.1- compliant RADIUS server.

Secure access to Microsoft Windows

Authentication Manager can be used to control access to Microsoft Windows environments both online and offline.

Network hardware devices

Authentication Manager can be used to control desktop access to devices enabled for SecurID, such as routers, firewalls, and switches.

 

 

 

 


Attachments

    Outcomes