Educause Security Discussion mailing list archives

Re: RSA SecurID

From: Greg Vickers <g.vickers () QUT EDU AU>
Date: Fri, 26 Sep 2008 09:52:52 +1000

Hi Christopher,

Christopher Jones wrote:

We are currently investigating two-factor authentication via RSA's
SecurID appliance solution.  Initially, it may be just for IT in order
to manage privileged access.  Eventually, it could be extended to other
employees.  Has anyone recently implemented this?  If so, what was the
scope of the implementation (IT staff only, employees, everyone)?  Any
feedback concerning this would be welcomed and appreciated.  Thanks.


We have just commenced an evaluation of the SecurID product, we haven't
actually received the product yet, but have placed the order.

We will be applying it to our VPN solution in a six month pilot, for
access to our corporate hosts.  This means that anyone who needs access
to these hosts will be requested to use a new VPN connection profile
which will use the SecurID process for authentication.  (The old profile
without SecurID will still be available during the pilot, just in case.)

The new version of SecurID, v7.1, has a programmable API which we will
leverage in the event that we retain the product after a successful
pilot, and was one of the features that is highly desirable for us.  (We
will program an interface to ESOE - http://esoeproject.org - which is
being used for all web authentication at QUT now.)

We don't plan on requiring all employees to use Two-Factor
Authentication (2FA), but will use 2FA to protect "the crown jewels" of
QUT's information assets such as privileged access to hosts, or
privileged operations in finance and human resources systems.

The product doesn't use an *existing* password in conjunction with the
token code - when a token is first used, the user sets a 'pin' (a series
of digits) for that token and the pin combined with the token code is
the 'passcode' used for authentication.  We were under the impression
that the product would use our existing username/password credentials in
conjunction with the token code, but this is not the case.

So far we have received very good pre-sales support from the local RSA
representative, it's an encouraging start :)  Feel free to shoot me any
questions you may have.

Cheers,
--
Greg Vickers
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J

Current thread:

RSA SecurID Christopher Jones (Sep 24)
- <Possible follow-ups>
- Re: RSA SecurID Marc Scarborough (Sep 24)
- Re: RSA SecurID Mclaughlin, Kevin (mclaugkl) (Sep 24)
- Re: RSA SecurID Christopher Jones (Sep 24)
- Re: RSA SecurID Greg Vickers (Sep 25)
- Re: RSA SecurID Russell Fulton (Sep 27)
- Re: RSA SecurID Gary Dobbins (Sep 27)
- Re: RSA SecurID Nick Lewis (Sep 27)
- Re: RSA SecurID Mark Powell (Sep 28)
- Re: RSA SecurID Derek Ethier (Sep 28)
- Re: RSA SecurID Christopher Jones (Sep 29)