RSA SecurID Authentication combines multiple components to provide a two-factor authentication platform for Enterprise networks. With the platform, users authenticate themselves to the network both with something they know (a password or a PIN) and something they have, typically a hardware token or "authenticator" (though software driven authenticators are also available). The authenticators generate a new one-time use passcode every 60 seconds based on a contained symmetric key. The Authentication Agents/Authentication Manager are able to authenticate that code as valid/invalid at that specific point in time, and thus allow the user (assuming they provide the correct password/PIN) access to the machine and/or network.

Each of the individual components--the Authentication Manager, the Authentication Agents, and the Authenticators (tokens)--is required to enable an RSA SecurID Authentication platform; however, some of the components and required technology are built into 3rd party authentication appliances and platforms; meaning that SecurID authentication can be used with several platforms other than that which is supplied directly from RSA Security (visit the RSA Security Web site for other compliant devices and platforms).

The Authentication Manager is the central component of the SecurID platform, providing the main authentication backbone process in the Enterprise network. It is deployed in a distributed fashion, with support for automated load balancing and DB replication between mirrored Authentication Managers (the Agents, described below, are capable of sniffing the various server response times and routing their requests accordingly). Two flavors of the Authentication Manager are offered; a Base Edition, which supports both a master and a single replica server, and an Enterprise Edition, which supports up to 15 replicas in each of up to 6 realms. RSA Security notes that the Enterprise platform is capable of servicing over 10 million users and processing up to 200 user authentications a second.

In addition to the software version of the Authentication Manager, an Appliance version is also offered, in two primary flavors. The RSA SecurID for Smaller Organizations appliance is sold in fixed price increments to support 10, 25, 100, 150, or 250 users and contains a pre-loaded copy of the Base Edition of the Authentication Manager; while the RSA SecurID Appliance for Large Enterprises supports up to 50,000 users and offers the customer a choice of a pre-loaded Base or Enterprise Edition version of the Authentication Manager software. An SMB version of the appliance--the RSA SecurID 100--supports up to 100 users.

Various Authentication Agents provide a software authentication interface for various operating systems and applications; intercepting standard authentication requests and routing them to the Authentication Manager for processing. Multiple such agents are available, including those for Windows (2000/XP/2003/Vista) and older agents for NMAS, UNIX/Linux, and Web servers (IIS, Apache, Sun Java System Web Server).

Finally, the Authenticators are the actual tokens that the users possess that generate the one-time use codes they will need to authenticate via their agents. Hardware authenticators are available in several form factors, including a credit card shaped token to a small handheld device. Most of the available authenticators work by utilizing an embedded symmetric key and algorithm to generate the one-time code on an LED when the user requests it. Key exceptions are the SecurID 520, a credit card-sized device that contains a numeric keypad allowing the user to keyin their PIN/password and retrieve a specially encrypted code in return to be used for authentication; the SecurID 800, which in addition to the ability to generate one-time codes also contains a USB port plug and the ability to store other authentication information--such as PINs or passwords--for the user; and the SecurID 900, also a credit-card shaped token with numeric keypad that also includes the ability to generate transaction-specific digital signatures.

Authenticators are also available in software flavors; in which case the required symmetric key is stored on the user's desktop, laptop, PDA, handheld, or mobile phone.

Other products offered by the vendor related to the RSA SecurID platform include:

- The RSA SecurID Authentication Engine, a lightweight engine for integration with custom or external applications

- The RSA SecurID Key Generation Toolkit, which enables dynamic seeding (CT-KIP) for use with the Authentication Engine

- The RSA Credential Manager (also known as the Authentication Deployment Manager), automated, Web-based workflow software for the deployment and maintenance of tokens

New features in the latest release of the RSA Authentication Manager include a "Business Continuity" option that enables an organization to temporarily expand a server license (without having to purchase a permanent license increase); support for "on-demand" delivery of access codes via SMS or E-mail (with no physical token required by the end user); native LDAP support; MMC integration (via a snap-in); and support for delegated administration.

The RSA SecurID Authentication platform is available now; the new release is expected to be available in 2Q/2008. Contact RSA Security for further information.

product submission by EITPlanet Staff

E-Mail this page to a colleague
send info about RSA SecurID Authentication

Suggest a link
for the RSA SecurID Authentication fact sheet