RSA SecurID

The RSA SecurID is a solution for user authentication managed by the Security Division of EMC and is based on an approach called two-factor authentication. This solution is a resolution to a weak security mechanism such as a password, as anyone who steals the password will appear completely genuine. RSA adds a second, physical proof that makes the certainty of authenticity exponentially higher. With the RSA solution for two-factor user authentication, authorized users are issued individually registered RSA SecurID tokens that generate single-use token codes, that keep changing based on a time code algorithm. A different token code is generated after every predetermined interval. The authentication server (RSA Authentication Manager) that protects the network and business applications validates this dynamic code. Each RSA SecurID token is unique and it is impossible to predict the value of a future token code by recording prior token codes. Thus when a correct token code is supplied together with a PIN, there is a high degree of certainty that the person is the valid user in possession of the RSA SecurID authenticator.

The following topics are provided:

How SecurID works

When a user attempts to access a protected resource, he is prompted for a unique passcode. The passcode is a combination of the user’s PIN and the code that is displayed on the authenticator token at the time of logon.

The user ID and pass code are intercepted by the RSA Authentication Agent and presented to the RSA Authentication Manager software which validates the pass code. The RSA SecurID system computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access to the user. There is an agent software which allows this interaction.

RSA SecurID - Architecture

RSA SecurID architecture has three components: the RSA Authentication Manager, Agents, and Authenticators (tokens).   

When the user is logged in, the agent would read the logon request and transmit it to the RSA Authentication Manager.  The RSA Authentication Manager will evaluate the authentication request, looking up the username to see associated tokens with that user, then check to see if the token code is the same as it calculates internally, and ensure the PIN is correct. If any of these three pieces of information is wrong (username, token code, PIN), the authentication attempt will be rejected.  If everything is correct, the Authentication Manager will send a message to the agent that the authentication is successful. 

The RSA manager holds master timing information and shared secrets (seeds) between itself and the token. Usually, the tokens change every 60 seconds.

It is important to understand that RSA authentication manager only performs authentication, not authorization.  For example, if Windows policy (authorization) did not allow the user to have a local login, Windows would reject the login, even though the user successfully authenticated with SecurID.

Some RSA Agents need to be installed and configured on a server while others are already embedded into the platform and just need to be configured, commonly the case with network firewalls and VPN equipment.

SecurID is actually an overloaded term.  SecurID is the brand for authentication solutions, which denotes a type of hardware or software token.  SecurID is also the name of the protocol used for communication between agents and the RSA Authentication manager software.  The SecurID protocol communicates on port 5500/UDP.  For networking equipment that directly supports the SecurID software, there’s usually a setting to add RSA servers to forward authentication requests.