RSA SecurID Definition
- When MFA became mandatory for millions of Google users in 2021, Google saw a 50% decline in account compromise.
- Microsoft claims that MFA blocks almost 100% of automated attacks.
MFA is an Identity and Access Management (IAM) strategy that protects network resources from unauthorized access. RSA SecurID is a suite of solutions that includes MFA and much more.
So what exactly is RSA SecurID, how does it work, and what type of security does it provide? What vulnerabilities, if any, should users know about?
What Is RSA SecurID: RSA SecurID Overview
Created by RSA Data Security, RSA SecurID is an MFA technology designed to increase security for network resources and help organizations maintain compliance. It combines password or PIN authentication with hardware authentication in the form of a physical token.
Is RSA secure? Many feel so because RSA SecurID offers more than just MFA. It has a whole suite of IAM features, including user access and role management, centralized control, and user monitoring.
Are RSA and SecurID the Same?
What used to be two products are now married into one suite of solutions. Formerly, RSA—or RSA Authentication Manager—handled authentication requests and policy administration. SecurID used three components to protect network resources: tokens, agents, and a virtual or physical server. RSA SecurID now offers all of this protection under one roof.
How Does RSA SecurID Work?
RSA SecurID is technically two-factor authentication, but it uses three layers of security:
- Something known by the user: This is a PIN or password only known by the user. A user is first prompted for their PIN or password when they access network resources.
- Something held by the user: This is a physical token, badge, or one-time password (OTP). The token provides a code that is combined with the PIN or password. The RSA authentication agent intercepts these for validation.
- Something unique to the user: You can add an extra layer of security by using biometrics, facial recognition, or fingerprint readers.
RSA SecurID offers a broad range of MFA options, including biometrics (fingerprint and eye print), email codes, Fast IDentity Online (FIDO)-based authentication, hardware tokens, mobile push authentication, proximity-based authentication, risk-based authentication, SMS codes, soft tokens, and voice-activated authentication. As an IAM technology, RSA SecurID does more than just grant access; it also determines the level of access to data and applications granted to each user.
Common RSA SecurID Vulnerabilities
No technology is 100% secure, so often, layered security that combines multiple techniques is best. Although few, RSA SecurID has certain vulnerabilities, and knowing what they are can help your security team minimize risk.
- Stolen hardware tokens: If a perpetrator successfully steals a token, card, or badge, they will have access to one of the two steps for authentication.
- Stolen software tokens: Just like passwords and PINs, codes can be hacked. If a hacker accesses the code and the password or PIN, 2FA becomes useless as a security measure. An example was the attack on MeetMindful.com in 2021 that compromised Facebook authentication tokens. This is why many professionals recommend biometrics as a third security layer.
- Stolen credentials: Reusing stolen credentials makes up about 80% of all hacking incidents. An example is the massive compromise of eBay credentials in 2014. A big part of risk monitoring and mitigation is ensuring password security, and an important feature of RSA SecurID is password management.
- Man-in-the-middle (MITM) attacks: RSA SecurID cannot repel all MITM attacks, but it protects against password replay attacks. Password replay occurs when a malicious actor intercepts a session that they then resend or delay to get the recipient to do their bidding. Other types of MITM attacks—like Internet Protocol (IP) spoofing, Hypertext Transfer Protocol Secure (HTTPS) spoofing, Domain Name System (DNS) spoofing, and so forth—are not always repelled. If a malicious party intercepts communication between a user and the network, they can gather enough information to impersonate a user and gain authorized access. An example is the breach of Equifax in 2017.
10 Functionalities of RSA SecurID
RSA SecurID provides layers of security across all network levels, from user to hardware to the cloud. It is an all-in-one suite of solutions that manages access based on risk assessment, MFA, identity governance, security policy management, threat intelligence, identity insights, and user lifecycle management. The IAM features it supports include:
1. Access Request Management
When employees request access to a resource, RSA SecurID views and manages the request. It determines whether access should be granted and at what level.
2. Account Management
RSA SecurID manages user accounts across an organization. This is particularly necessary because of employee turnover, changes in user access and permissions, and new talent onboarding.
3. API Access Management
RSA SecurID ensures authenticated users can access application programming interfaces (APIs). It determines user access to applications, frameworks, software, and management tools.
4. Compliance Management
RSA SecurID assesses risks, ensures policy compliance, and verifies that users follow secure policies, procedures, and processes. RSA SecurID also ensures organizations are legally compliant, especially regarding third-party access and data privacy.
5. Multi-factor Authentication (MFA)
Through a password or PIN and a hardware token, RSA SecurID provides two-factor authentication for users. A third layer, such as biometrics or other unique user features, can be added to further strengthen security.
6. Passwordless Login
RSA SecurID offers passwordless login, a login based on a physical token, biometrics, or FIDO-based authentication. One of the benefits is that a user can be authenticated even without a network connection—meaning, even offline work is secured.
7. Password Management
RSA SecurID’s password management feature enables IT admins to authenticate, manage, and even reset passwords. This mitigates breaches by reducing the response time to malicious entities' attempts to access your system in case a password is stolen or compromised.
8. Role Management
RSA SecurID regulates user access according to permissions and access levels contained in a directory. As user access changes or employees leave or are hired, role management ensures user access will continue to be seamless and secure.
9. Single Sign-On (SSO)
SSO unifies user access and permission under a single set of credentials. It simplifies access to the network, the cloud, and applications while maintaining security and privacy. It streamlines user sign-in, enhancing productivity and efficiency. For example, if you are logged in to Gmail, you have instant access to other applications under the Google umbrella, such as YouTube and Google Docs.
10. User Activity Monitoring
RSA SecurID monitors and records user activity for administrative and security purposes. This streamlines risk assessment and incident investigation and protects network resources from unseen threats.
RSA SecurID vs. SSO vs. RSA Authentication Manager
RSA SecurID is the solution suite offered by RSA Data Security. RSA Authentication Manager is the management component, and it:
- Verifies authentication requests
- Administers authentication policies
- Provides a web-based console for system administration and token management
- Provides logging and reporting capabilities for compliance
SecurID is the server component and includes:
- Authenticators, including software and hardware tokens
- Agents, which protect network resources by requiring MFA
- An Authentication Manager server, whether as hardware or a virtual machine
Pros of RSA SecurID Solutions Suite
- Ease of integration
- Secure MFA
- User access and role management
- Reduced risk of system compromise
Cons of RSA SecurID Solutions Suite
- Vulnerability to token or code theft and some MITM attacks
SSO, however, is a product from a different provider. An authentication and user authorization solution by BuzzFeed, it provides users with a single set of credentials for access to the network and various applications.
Pros of SSO
- Streamlined user access
- Unified password
- Ease of integration
Cons of SSO
- Using a single password formultiple logins can be risky
- SSO failure cuts system access
- It is vulnerable to identity spoofing
Designed for enterprise use at scale, RSA SecurID can handle millions of users from countless access points.
How Fortinet Can Help?
To help protect organizations from account or password compromise, Fortinet offers FortiToken Cloud, which simplifies and centralizes the management of two-factor authentication tokens in a FortiGate or FortiAuthenticator environment. It offers:
- Centralized two-factor management
- Simplified deployment
- Stackable subscriptions
Since FortiToken Cloud is a cloud service, its intuitive dashboard can be accessed from anywhere as long as you have an internet connection. It can be easily deployed at scale, making it a smart choice for organizations of all sizes.
What is RSA SecurID?
Created by RSA Data Security, RSA SecurID is a multi-factor authentication (MFA) solution designed to increase security for network resources and help organizations maintain compliance. It combines password or PIN authentication with hardware authentication in the form of a physical token.