Data Network Resource
       Earn on the Web

SecureID


SecureID is based on 'two-factor authentication', something you know (e.g. password) and something you have (e.g. a key card).

An individual is issued a device that generates single-use tokens that are generated every 60 seconds. An authentication server validates this changing token.

The following diagram illustrates several typical scenarios using SecureID:

Secure ID

When a user initially attempts access they are required to enter a username, a PIN number and a tokencode generated by the Token generator device. The agent hashes the information with information that only itself and the server knows. For additional security only part of this hashed string is then sent to the server for authentication.

The authenticator can be a key fob containing a clock and a chip initially seeded with a 64-bit value that generates a close to random 8-digit tokencode every 60 seconds from the time and from the seed. The authenticator could also be a credit card sized keypad or a PINPAD where a user has to enter a PIN number to get a tokencode. There is even a software authenticator that is protected from copying that operates like the PINPAD.

When a user attempts to access a protected device such as a server or RAS box, a software ACE agent authenticates with a SecureID ACE Server so taking over the normal password procedure. Both TACACS+ and RADIUS are compatible with SecureID. The agent sits in the connecting device such as a router, RAS box, server, web browser etc.

A pseudo-random node secret is created by the server for each agent and is only known by each other. This node secret is used to encode and decode communications.

The ACE Server contains a database of users, tokens and client information. It also has an engine used to authenticate the user depending on the information sent by the agent. The Server has a graphical administrative front end. The Backup server reconciles its database with the main server and takes over in case of main server failure. The main and backup servers use encrypted TCP connections where the encryption key changes every 10 minutes. The agent communicates with the server using encrypted UDP for speed.

The SecureID ACE Server is able to do the following:
  • Provide various levels of access
  • Provide access dependent on the time, type of file or directory
  • Log user access
  • Create alarms for invalid attempts
  • Serve over 10,000 users per server
  • Interoperate with up to 20 other ACE servers to provide resilience plus support over 100,000 users.
All devices are set to Universal Coordinated Time (UCT = GMT) before shipment so that all devices around the world operate to the same time and do not need to be adjusted. Because clocks do drift slightly, authentication allows a 3 minute time window for the time to drift. If the time of an authenticator drifts outside the window then a second authentication is requested and provided that the drift matches the previous one then authentication occurs (10 minutes either side is allowed).

Home

Valid HTML 4.01 Transitional

Disclaimer



Earn on the Web    


All rights reserved. All trademarks, logos, and copyrights are property of their respective owners.