SecurID Authentication Process

The SecurID authentication process involves the interaction of three distinct products:

  • SecurID authenticators, also known as tokens, which generate one-time authentication credentials for a user.

  • RSA Authentication Agents, which are installed on client devices and send authentication requests to the Authentication Manager.

  • RSA Authentication Manager, which processes the authentication requests and allows or denies access based on the validity of the authentication credentials sent from the authentication agent.

To authenticate a user with SecurID, Authentication Manager needs, at a minimum, the following information:

Element Information
User record Contains a User ID and other personal information about the user (for example, first name, last name, group associations, if any). The user record can come from either an LDAP directory server or the Authentication Manager internal database.
Agent record Lists the name of the machine where the agent is installed. This record in the internal database identifies the agent to Authentication Manager and enables Authentication Manager to respond to authentication requests from the agent.
Token record Enables Authentication Manager to generate the same tokencode that appears on a user’s SecurID token.

Used with the tokencode to form the passcode.

The Role of RSA Authentication Manager in SecurID Authentication

RSA Authentication Manager software, authentication agents, and SecurID tokens work together to authenticate user identity. SecurID patented time synchronization ensures that the tokencode displayed by a user’s token is the same code that the RSA Authentication Manager software has generated for that moment. Both the token and the Authentication Manager generate the tokencode based on the following:

  • The token’s unique identifier (also called a “seed”).

  • The current time according to the token’s internal clock, and the time set for the Authentication Manager system.

To determine whether an authentication attempt is valid, the RSA Authentication Manager compares the tokencode it generates with the tokencode the user enters. If the tokencodes do not match or if the wrong PIN is entered, the user is denied access.

SecurID Authentication Examples

Authentication Manager software is scalable and can authenticate large numbers of users. It is interoperable with network, remote access, wireless, VPN, Internet, and application products. The following table describes key examples.

Product or Application


VPN Access

SecurID provides secure authentication when used in combination with a VPN.

Remote dial-in

SecurID operates with remote dial-in servers, such as RADIUS.

Web access

SecurID protects access to web pages.

Wireless Networking

Authentication Manager includes an 802.1- compliant RADIUS server.

Secure access to Microsoft Windows

Authentication Manager can be used to control access to Microsoft Windows environments both online and offline.

Network hardware devices

Authentication Manager can be used to control desktop access to devices enabled for SecurID, such as routers, firewalls, and switches.