How does my RSA security token (Secure ID) work?


Firstly, I have to make it clear there is no connection in any way to the token. It is a purely standalone device. The other answer I have seen is nonsense! Sorry!

The 6 digit code that you see on the token is generated using an algorithm that is exists in all tokens. The token also contains a clock and has a unique seed number. The current time and the unique seed are processed using the algorithm and produce the token code you see on the token. This is normally done 1 per minute. In this way a unique code is generated that appears to be random.

The server (Ace server), that is online and conected to whatever system you are logging on to, also knows the time and it also knows the unique seed number of your token. So it uses the same algorithm to calculate the code that you should see on your token. If they match then you are authenticated.

I guess the next question you are asking is what happenes if the time is wrong on the token (or the server). Well this can happen and for that reason the server normally allows a 3 minute window. So it will calculate and accept passcodes based on the current time and a minute either way. If the code is more than 2 minutes out and less than 10 then the server will recognise this code also but will ask for the next code as well to confirm you really have the token and didn't just read it by chance on someone elses token. If the time is slightly wrong then the server sets a time offset for the token and remembers that it is x minutes out. It then knows to expect this and has effectively synchronised the token.

There's loads more to it so if you think of any questions I'll be happy to answer them. Hope this helps!
Source(s):
RSA Security

This is pretty secure authentication method. We call it 2 Factor Authentication (2FA).

This is because you need to provide passcode (2 factor): pin and the code displayed on your token in order to do the authentication.

The code on the security token would be changed every 30seconds/1 minute and expire after few years. The token can be hardware or software token.

This type of authentication is popular and usually used by bank and financial institution.

http://answers.yahoo.com/question/index?qid=20060930225640AAMHJZB


Comments