The internet is abuzz with news that beleagured security company RSA, which suffered a security intrusion and theft of trade secrets back in March, is offering to replace its customers’ security tokens.
Security tokens are used in two-factor authentication to add additional strength to conventional username and password logins.
The simplest sort of token generates and displays a sequence of pseudo-random numbers, with a new number appearing every minute or so. You enter this ever-changing number as well, or instead of, your conventional password.
The theory behind time-based token authentication is that only your authentication server and the token itself can reproduce the pseudo-random stream. So, if you don’t have possession of the token, you’ll never know the password-of-the-minute.
And if a crook should shoulder-surf or keylog your current token number, it’ll be worthless next time. That should make you much more secure than relying a password you use over and over again.
But one concern over RSA’s security breach was that some of the trade secrets stolen might allow cybercrooks to work out a token’s pseudo-random number sequence. Of course, this would destroy the very foundations of RSA token security.
RSA didn’t do itself many favours when it first commented on the breach, playing its cards rather close to its chest and not saying much more about the ongoing security of its tokens than:
"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."
Worse still, recent attacks on US defence contractors were linked with a possible compromise of RSA token security.
Under this sort of pressure – and perhaps still reluctant to give away too many technical details for fear of making a bad thing worse – RSA has just announced a free replacement plan for users of its tokens.
That’s going to be a big job. But is it going to be quite as big as PC World suggests when it says that RSA “will replace SecureID tokens for any customer that asks“?
RSA’s open letter on the subject isn’t quite as clear-cut.
It looks as though RSA will only replace your tokens for free if you are a customer:
"with concentrated user bases typically focused on protecting intellectual property and corporate networks."
Those sound rather like weasel-words to me. What is a “concentrated user base”? If you directly protect your own corporate network, are you covered? Or is RSA only offering to cover you indirectly, as the customer-of-a-customer, by helping your reseller?
And what if you’re just a boutique ISP with a webmail service who has taken the extra step of offering selected users two-factor authentication? Is your user-based concentrated enough? Are you protecting intellectual property, or just casual chatter?
What do you think? Take part in our poll – and be thankful you’re not working in one of RSA’s call centres or help desks right now!
Leave a reply
