SecurID is a product from RSA. The purpose of the product is to provide a continuing rotating password, sometimes known as a one-time-use password. The SecurID, then, is a device concerned with authentication and is considered a form of something I have authentication.
A user is issued a particular SecurID device (or software). The SecurID has a small window in which the device can display a six-digit password that changes every minute. Although the changes appear to be random, they are actually pseudo random. The changes are driven by an algorithm that uses a factory provided seed number (e.g., a number that starts the calculation) and the current clock time. Without this seed, the time, and the algorithm, the number cannot be guessed and appears to be completely random.
Within the network, the AAA server is running SecurID software that implements the same algorithm, knows the seed value associated with each issued card, and knows the time. The server, therefore, knows what digit is displayed on each SecurID that has been issued. When a user attempts to access a resource that is being protected (e.g., VPN, RAS, email account, etc.), the user is challenged for their user-name and the current password on the SecurID. If there is a match, the user is authenticated and access is granted.
The actual product can come in a variety of forms, including a key chain fob and a small card the length and width of a credit-card, but somewhat thicker. It can also be provided as software for use on devices like PDAs or cell phones.
Anyone familiar with networking and computer devices knows that no two clocks are perfectly aligned. It is therefore possible for the SecurID to gain or lose time relative to the server, resulting in a mismatch problem. SecureID deals with this in a fairly elegant manner. It not only keeps track of the current code on the SecureID device, it also remembers the last one and predicts the next one. If the code provided by the user is not the current code, but it matches the previous or following code, the server interprets this as a result of clock drift and provides an appropriate adjustment to the clock calculation for that particular SecurID.
Because the SecureID token (hardware or software) is something you have, it is subject to the same security issues as anything else you have: theft. If someone steals your SecurID and knows what system is provides access to, they can breach the security of the system. To avoid this, many companies issue each user a personal identification number (PIN) as well as the SecurID. A PIN is a form of something I know authentication. If the actual password is a combination of the SecurID value and the PIN, it is a composite password that combines two types of authentication: something I know and something I have. That makes it a form of multifactor authentication, which is significantly stronger.
|<mp3>http://podcast.hill-vt.com/podsnacks/2007q3/securid.mp3%7Cdownload</mp3> | SecurID|