RSA SecurID Tokens

RSA SecurID tokens offer RSA SecurID two-factor authentication. An RSA SecurID token is a hardware device or software-based security token that generates a 6-digit or 8-digit pseudorandom number, or tokencode, at regular intervals. When the tokencode is combined with a personal identification number (PIN), the result is called a passcode. Users enter passcode values, along with other security information, to verify their identity to resources protected by Authentication Manager.

Requiring these two factors, the tokencode and the PIN, is known as two-factor authentication:

  • Something you have (the token)

  • Something you know (the PIN)

If Authentication Manager validates the passcode, the user is granted access. Otherwise, the user is denied access. (To protect against the use of stolen passcodes, Authentication Manager checks that a passcode has not been used in any previous authentication attempt.)

There are two kinds of SecurID tokens, hardware tokens and software tokens:

  • Hardware tokens generate tokencodes using a built-in clock and the token’s factory-encoded random key. Hardware tokens come in several models.
  • Software tokens require an application that is specific to the intended device platform, such as a specific operating system on smart phones, computers, or tablets. Users obtains the software token symmetric key by scanning a QR code, importing an email attachment, or through some other approach. The software token applications generate tokencodes on the device and offer the same passcode functionality as hardware tokens.

An administrator can securely download a software token license XML file or receive a secure physical shipment with the required token license information for hardware or software tokens. Importing the token license XML file allows Authentication Manager to generate the correct tokencode when a SecurID authentication request is received from an authentication agent.

Authentication Manager logs the serial numbers of SecurID tokens used to authenticate. By default, Authentication Manager logs the serial number in the clear, but you can mask the serial numbers of tokens when logging to syslog or using SNMP if you want to avoid transmitting and recording the serial number in the clear. RSA recommends masking token serial numbers for added security.

You can assign up to three RSA SecurID tokens to each authorized user on a protected system.

All tokens require similar administrative tasks. Following deployment, you can perform many token-related administrative tasks with the User Dashboard in the Security Console. For more information, see User Dashboard.

For deployments that have an Active Directory identity source, you can also manage hardware and software tokens with the RSA Token Management snap-in for the Microsoft Management Console (MMC). The RSA Token Management snap-in extends the context menus, property pages, control bars, and toolbars in the Active Directory Users and Computers snap-in. RSA SecurID Access Authenticator Tokencodes are not managed by the RSA Token Management snap-in.

By default, RSA provides hardware and software tokens that require a PIN and strongly recommends that you use PINs for all tokens. PINs provide the second factor in RSA SecurID two-factor authentication. RSA Authentication Manager also supports authentication with tokens that do not require an RSA SecurID PIN. The user can authenticate with the current tokencode only. In such a case, an alternative second factor, for example, a user’s network password, is used.

RSA SecurID Hardware Tokens

The SID700 Authenticator easily connects to any key ring. The user simply reads the changing display (typically every 60 seconds) and uses it as part of a dynamic and always-changing password.

securid_red_token.png

You can use this token with Authentication Manager or the Cloud Authentication Service.

When the Cloud Authentication Service is integrated with Authentication Manager, users with RSA SecurID tokens can access SaaS and on-premises web applications and RADIUS clients protected by the Cloud Authentication Service. For more information, see Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service.

To protect cloud-based resources when Authentication Manager is not deployed, you can assignSID700 hardware tokens to Cloud Authentication Service users and manage the tokens in the Cloud Administration Console. If you have a Cloud-only deployment and you want to enable hardware token, contact your RSA Sales representative or Channel Partner.

The following hardware tokens are no longer sold by RSA:

  • RSA SecurID 800 Hybrid Authenticator

    The RSA SecurID Authenticator SecurID 800 is both an RSA SecurID authenticator and a USB smart card (USB token) with a built-in reader.

  • RSA SecurID 520 Authenticator

    With this device, the user enters the PIN on a numeric keypad to display the passcode.

  • RSA SecurID 200 Authenticator

    This hardware token generates and displays a new tokencode at a predefined time interval, typically every 60 seconds.

RSA SecurID Software Tokens

RSA SecurID tokens are available in a software form-factor that you can install into an RSA SecurID software token application on a client workstation or a mobile device.

The RSA Authentication Manager provides a centralized administration interface for issuing RSA SecurID software tokens to the supported device types. You can add information to software tokens such as device type, device serial number, or token nickname using token extension fields.

For a complete list of RSA SecurID software tokens versions supported by Authentication Manager 8.6, see the Product Version Life Cycle for RSA SecurID Suite page on RSA Link.

For more information about the software token, see the documentation that accompanies individual RSA SecurID software token products.