RSA SecurID for Two-Factor Security: A Primer

RSA SecurID for Two-Factor Security: A Primer
By

Multi-Factor authentication, also called two-factor (2-factor) authentication is a security technology that incorporates two or more of the following: something you know, something you have, and something you are. 

Most people use 2-factor without being cognizant of it; for example, every time you take money out of an ATM machine you are using a bank ATM card (something you have) and your PIN (something you know).

RSA SecurID is a stalwart of 2-factor deployments.  SecurID is similar to the ATM example, except with SecurID you can think of the card number changing every 60 seconds.

RSA SecurID - The Basics

Let’s say John is given a SecurID token on his first day on the job and he creates a PIN for the token on a self-service website.  He proceeds to log into his Windows workstation using his username (jdoe), a 6-digit passcode he reads from the SecurID token and a PIN.  Later he comes home and needs to remote access into the corporate network.  He uses the same credentials but a different SecurID token code.  

RSA SecurID - Architecture

RSA SecurID architecture has three components: the RSA Authentication Manager, Agents, and Authenticators (tokens).   

Using the example above, Windows would act as an agent of RSA.  When John logged in, Windows would read the login and transmit it to the RSA Authentication Manager.  The RSA Authentication Manager will evaluate the authentication request, looking up John’s username to see his associated tokens, then check to see if the token code is the same as it calculates internally, and ensuring the PIN is correct.  If any of these three pieces of information is wrong (username, token code, PIN), the authentication attempt will be rejected.  If everything is correct, the Authentication Manager will send a message to the agent (Windows) that the authentication is successful. 

The RSA manager holds master timing information and shared secrets (seeds) between itself and the token.  Tokens usually change every 60 seconds.

It’s important to understand that RSA authentication manager only performs authentication, not authorization.  For example, if Windows policy (authorization) did not allow Joe to have a local login, Windows would reject the login, even though Joe successfully authenticated with SecurID.

  • The example above uses Windows as the Agent software; however, Agents could be many other types of software
  • Linux (Pluggable Authentication Module)
  • IIS
  • Sun Java Web Server
  • Windows
  •  Unix

Some RSA Agents need to be installed and configured on a server while others are already embedded into the platform and just need to be configured, commonly the case with network firewalls and VPN equipment.

SecurID is actually an overloaded term.  SecurID is the brand for authentication solutions, which denotes a type of hardware or software token.  SecurID is also the name of the protocol used for communication between agents and the RSA Authentication manager software.  The SecurID protocol communicates on port 5500/UDP.  For networking equipment that directly supports the SecurID software, there’s usually a setting to add RSA servers to forward authentication requests.

Mikhael FelkerMikhael Felker

Mikhael Felker is an IT pro who has worked in Defense, Healthcare, High-Tech and Non-Profits. He teaches, writes, and speaks at numerous Southern California venues about technology. 

See here to check out all his Tom's IT Pro articles.

Comments