Educause Security Discussion mailing list archives

Re: RSA SecurID

From: Mark Powell <m-powe () UMN EDU>
Date: Sun, 28 Sep 2008 11:01:25 -0500

We are using the Secure Computing SafeWord system which was recently
sold to Aladdin.
Being able to push the button immediately for a new one-time passcode
was an important feature for us.  If you authenticate to a server as
yourself, then want to SUDO, you don't want to wait for the passcode to
change.  In fairness to SecurID, you can purchase tokens with different
time-windows--how fast they change to the next code.

Mark

Mark Powell
University of Minnesota
Office of Information Technology
612-625-8598

Gary Dobbins wrote:

SafeWord from Secure Computing uses tokens which are not time-based.  By pressing the button you get a new valid hash 
immediately.  Nice thing:  They can't get unsynchronized in time from their master host.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
Sent: Saturday, September 27, 2008 3:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] RSA SecurID

On 25/09/2008, at 5:05 AM, Christopher Jones wrote:

We are currently investigating two-factor authentication via RSA's
SecurID appliance solution.  Initially, it may be just for IT in
order to manage privileged access.  Eventually, it could be extended
to other employees.  Has anyone recently implemented this?  If so,
what was the scope of the implementation (IT staff only, employees,
everyone)?  Any feedback concerning this would be welcomed and
appreciated.

We have been using RSA's SecureID for three or four years no windows,
linux and various web applications.  We are very happy with it.  Our
evaluation of the solutions available *then* came down to securid and
crypto card.  SecureID won out because of better coverage of relevant
platorms -- that may well have changed.  One feature of crypto card we
liked was the ability to advance the token -- say you log into our VPN
(secured by 2FA) then you want to ssh to a linux host, you must wait
until the token changes (up to a minute) then you log in to the linux
box and type sudo ... and wait another minute until the token changes
again.  We actually gave up using 2fa for sudo and went for kerberos
for this reason -- i.e. login and sudo are authenticated differently.

Someone recently pointed me at an open source 2FA system but I can't
remember the details or find the email.  I'll dig a bit more and when
I find it I'll post the info to the list,

Russell

Current thread:

RSA SecurID Christopher Jones (Sep 24)
- <Possible follow-ups>
- Re: RSA SecurID Marc Scarborough (Sep 24)
- Re: RSA SecurID Mclaughlin, Kevin (mclaugkl) (Sep 24)
- Re: RSA SecurID Christopher Jones (Sep 24)
- Re: RSA SecurID Greg Vickers (Sep 25)
- Re: RSA SecurID Russell Fulton (Sep 27)
- Re: RSA SecurID Gary Dobbins (Sep 27)
- Re: RSA SecurID Nick Lewis (Sep 27)
- Re: RSA SecurID Mark Powell (Sep 28)
- Re: RSA SecurID Derek Ethier (Sep 28)
- Re: RSA SecurID Christopher Jones (Sep 29)