Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Strong Authentiation

The SecurID token is a rather old and rather expensive solution.

More modent solution and cheaper solution is Digipass Go 3

Both serve as a generator of one time passwords that can be used for authentication.

SecurID

SecurID is used in conjunction with RSA ACE/Server, the SecurID token generates a new, supposedly unpredictable numeric  (6 digits) one time password every 60 seconds.

Each password can be used only once: you cannot authenticate to two systems using the same password.

While pretty adequate for end users (outside the cost) SecurID is not very convenient for system administrators who need to log in to multiple systems several times of the day and it stimulates "cheating" to avoid this 1 min delay for each authentication.  That's why it is recommended not to enroll ssh into secureID authentiation and limit is to telnet and ftp that are used by "regular" users. In this case ssh became privileged protocol for system administrators as such need to be secured using tcp_wrappers and/or firewall rules to selected static  addresses (DHCP range should be excluded).

Actually there are multiple way to install SecurID client is a wrong way and only few in a right way ;-). One problem is that some applications and scripts are using ftp as a transport protocol.

Due to those complications often the level of security provided is completely illusionary. This along with being pain in the neck for system administrators (the most important users of the technology, were the cost is somewhat justified) is a major drawback of the approach. 

Again this is a bad idea to use SecurID authentication for all three major protocols: telnet, ftp and ssh. You should consider leaving ssh out of the realm of SecurID authentication and use certificates.

Another drawback is the pretty ancient software used on the server side. But it is reasonably reliable and reasonably scalable.  Level of maintenance it requires is minimal and mainly is related to updates from one version to another (which is sometimes a bad idea as RSA tend to over-milk this cash cow and use version switching as a pretext for getting additional  revenue).  That's why the technology did not got traction outside large corporate environments. 

Even online brokerages which can definitely benefit from the technology are not using it for customers (an exception that I know of is eTrade.com but you need to pay for your own token).

For a simple disposable security device a SecurID token (which probably costs less then $5 to manufacture) is very expensive ($70 for three years token or ~ $25 per year).  But if usage is selective then this defeat the purpose of introducing the SecurID token into infrastructure. The server is also not cheap and only inertia of the industry permits RSA to enjoy such high profit margins profits. That probably will not last for long.

That creates a huge problem of justifying the costs. 

For such an expensive product RSA documentation is generally very weak, almost junk.  The product requires support contract and the quality of support is generally good.

Digipass Go 3

Digipass Go 3 uses much better interface then SecurID. It's “The touch of a button” approach corresponds to what busy users like system administrators could want from such a device that their employer requires them to use. The Digipass GO 3 is very small, and features a high contrast LCD display and a single button.

This combination offers the ultimate in user-friendliness and high security: One push on the button and the Digipass GO 3 shows a unique one-time password on its LCD display. The user then enters this one-time password into their application login screen.

Vasco Digipass is used by PayPal which sells it to users for $5.

Last modified: June 05, 2008