Users Get Details on How Long Keys Are Active
Because the seeds feeding the algorithm on the server match the ones each individual token is using, the server knows exactly what number is displayed by the token without having to transmit any data. Users who want to log in to a protected resource go to the RSA login portal and enter their username, a PIN and a number displayed by their token at that time. If all matches, users are authenticated and allowed to proceed.
The token also displays how long the current key will be active with a series of dots on the left side of the screen, each dot representing 10 seconds. If there are only one or two dots left, users can wait for a new key before logging in so they don’t have to rush. This helps make the SecurID tokens easy both to use and to manage.
Swapping Out RSA SecurID Tokens When Necessary
Although each SecurID token is designed to last for up to three years, it can still be damaged, lost or stolen. We tested how easily new tokens can be swapped out should this happen.
Each RSA SecurID SID700 hardware token is fairly rugged with hardware-based internal circuitry and no moving parts. They also have a hard plastic case which resists damage. Unlike most electronics that can easily break when dropped, the size of the tiny token prevents it from generating enough force to cause any damage, most of the time.
So, there is a good chance that most users will be able to use their SecurID token without interruption for years. Keep in mind, however, that each token has a hard-coded expiration date, which is normally set to three years. After that, the key may still physically function but can no longer be used for authentication. Users must swap out old keys eventually, even if they never lose or break the device.
Issuing a new key when one is lost or broken is not that big of a deal. Administrators can disable the lost key on the authentication server as soon as it is reported, meaning the key can no longer be used to access network resources.
Thereafter, it’s simply a matter of uploading the new seed information for an unused token, and then assigning that token to the user with the Active Directory data. As soon as the new physical key delivered, the user can get back to work.
One additional note: Administrators need to be very careful with the seed data for their keys, as this is one potential vulnerability. That information must be locked down and also should have strong encryption. But as long as that data is kept safe, users will have easy-to-use and fully protected access to valuable assets, even when they are working from home or a remote location.
RSA SecurID SID700 Hardware Token
Key Length: 6 numeric characters
Key Life: New keys generated every 60 seconds
Display: Monochrome LCD
Token Life: Device automatically expires after three years
Weight: 0.32 ounce