The token hardware is designed to be tamper-resistant to deter reverse engineering. On older versions of SecurID, a “duress PIN” may be token catalog—an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication.
Using the duress PIN would allow one successful authentication, after which the token will automatically be disabled. This is significant, since it is the principal threat most users believe they are solving with this technology. The simplest practical vulnerability with any password container is losing the special key device or the activated smart phone with the integrated key function. Such vulnerability cannot be healed with any single token container device within the preset time span of activation. All further consideration presumes loss prevention, e. While RSA SecurID tokens offer a level of protection against password replay attacks, they are not designed to offer protection against man in the middle type attacks when used alone.
This has been documented in an unverified post by John G. Although soft tokens may be more convenient, critics indicate that the tamper-resistant property of hard tokens is unmatched in soft token implementations, which could allow seed record secret keys to be duplicated and user impersonation to occur. A user will typically wait more than one day before reporting the device as missing, giving the attacker plenty of time to breach the unprotected system. Batteries go flat periodically, requiring complicated replacement and re-enrollment procedures. 25 million devices have been produced to date. On 17 March 2011, RSA announced that they had been victims of “an extremely sophisticated cyber attack”. Concerns were raised specifically in reference to the SecurID system, saying that “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation”.