Does a desktop token constitute multifactor authentication? Why or why not?
The best answer to your question is yes and no.
Multifactor authentication includes something you know (a PIN) and something you have (a hardware or software token). It can also be something you are (for fingerprint scanning/facial recognition, etc.). For your RSA SecurID desktop token, it is what you know and what you have.
If you provide your end users with tokens that are tokencode only (not requiring use of a PIN), then they are not considered to be multifactor authentication.
If your users have tokens where they need to provide both a PIN and a tokencode, then that is considered multifactor authentication.
We have 2 camps where I work. One argues that, by having the token on the same platform on which the authentication transaction is being performed, the independence of the token is reduced to merely a sophisticated password (single factor), while the other insists that the PIN and resulting passcode represent distinct authentication factors. With a desktop token, the end user still has to provide something they know (the PIN) with something they have (the token installed on the workstation). That the user has to apply the resulting passcode to an application or webpage on the same workstation on which the token is installed does not diminish the fact that the transaction elements are separate . . . or does it?
Yes it is 2 factor no matter how you slice it...
--Pin is 'something you know' factor 1
--item displaying a Tokencode is 'something you have' factor 2
--[if you had a windows password that is another factor 1 so doesn't count as 3rd factor]
to have a 3rd factor that would be 'something you are' like biometric (faceid, fingerprint, weight...)
Two Factor Authentication, 2FA is integration of something you have and something you know, e.g. SecurID Token either hardware or software plus PIN. I'd argue that Multi-Factor Authentication, MFA is a wide and broad sub-set of 2FA, basically because you are connecting independent authentication factors but not integrating them in the way that 2FA does.
If 2FA were an 8 foot high fence, MFA with Windows Password and RSA single factor TokenCode (with no PIN) would be two 4 foot fences, because they are not integrated, each would have to be compromised independently in their singular defense mechanisms. It might be argued that the fence heights are actually 6 and 12 feet high depending on how you assess your risk, but I think the analogy stands,
Therefore, a software token running on a Windows Desktop application, as long as it requires a PIN, is 2FA and therefore MFA, as well as a solid authentication verification system.
As in all Security Practices - learn and follow Best PracticesImportant Statement from RSA Regarding RSA SecurID Software Token Provisioning Best Practices
(some) Best Practices for RSA Authentication Manager
Just to add on the windows has RSA SecurID Authenticate App - Get RSA SecurID Authenticate - Microsoft Store which can do MFA(Like Approve option) post a successful authentication to CAS. Attaching a sample snippet
Retrieving data ...