Educause Security Discussion mailing list archives

Re: RSA SecurID

From: Nick Lewis <lewisnic () ACM ORG>
Date: Sat, 27 Sep 2008 08:12:40 -0400

Entrust Identity Guard also has 2 factor authentication devices including
the traditional OTP fob (inexpensive), grid cards, OTP to SMS/e-mail, and
others.

Nick

----- Original Message -----
From: "Gary Dobbins" <dobbins () ND EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Saturday, September 27, 2008 7:23 AM
Subject: Re: [SECURITY] RSA SecurID

SafeWord from Secure Computing uses tokens which are not time-based.  By
pressing the button you get a new valid hash immediately.  Nice thing:  They
can't get unsynchronized in time from their master host.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
Sent: Saturday, September 27, 2008 3:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] RSA SecurID

On 25/09/2008, at 5:05 AM, Christopher Jones wrote:

> We are currently investigating two-factor authentication via RSA's
> SecurID appliance solution.  Initially, it may be just for IT in
> order to manage privileged access.  Eventually, it could be extended
> to other employees.  Has anyone recently implemented this?  If so,
> what was the scope of the implementation (IT staff only, employees,
> everyone)?  Any feedback concerning this would be welcomed and
> appreciated.

We have been using RSA's SecureID for three or four years no windows,
linux and various web applications.  We are very happy with it.  Our
evaluation of the solutions available *then* came down to securid and
crypto card.  SecureID won out because of better coverage of relevant
platorms -- that may well have changed.  One feature of crypto card we
liked was the ability to advance the token -- say you log into our VPN
(secured by 2FA) then you want to ssh to a linux host, you must wait
until the token changes (up to a minute) then you log in to the linux
box and type sudo ... and wait another minute until the token changes
again.  We actually gave up using 2fa for sudo and went for kerberos
for this reason -- i.e. login and sudo are authenticated differently.

Someone recently pointed me at an open source 2FA system but I can't
remember the details or find the email.  I'll dig a bit more and when
I find it I'll post the info to the list,

Russell

Current thread:

RSA SecurID Christopher Jones (Sep 24)
- <Possible follow-ups>
- Re: RSA SecurID Marc Scarborough (Sep 24)
- Re: RSA SecurID Mclaughlin, Kevin (mclaugkl) (Sep 24)
- Re: RSA SecurID Christopher Jones (Sep 24)
- Re: RSA SecurID Greg Vickers (Sep 25)
- Re: RSA SecurID Russell Fulton (Sep 27)
- Re: RSA SecurID Gary Dobbins (Sep 27)
- Re: RSA SecurID Nick Lewis (Sep 27)
- Re: RSA SecurID Mark Powell (Sep 28)
- Re: RSA SecurID Derek Ethier (Sep 28)
- Re: RSA SecurID Christopher Jones (Sep 29)