Forgive me for arguing, but I believe the time alloted for guessing that third factor is even less than indicated below. Of course, by token, I am referring to what RSA calls a "keyfob." Is that what you are referring to as well?
Here is what I understand to be the process, from reading the manuals we have: 1. Upon issuance to the user, you synch the token/keyfob with the the RSA server DB. 2. A 6-digit code displays for 1 minute on the token. 3. If used for authentication within that 1 minute period, it is "time-stamped" as to when you entered the Passcode (PIN + code) and has an additional 1 minute latency period. Meaning that if you dial-up and enter your passcode, 30-seconds into the code, you have 1:30 to connect to the dial-up server and be authenticated. 4. If you enter the same code after the display has rolled over however, that code is no longer valid, as the timestamp when you entered it will no longer match with the timestamp on the server for when that code was valid. So the short version is that if you enter the code while it's displaying on the token, it's good for 1 minute with a 1 minute latency period. If you don't enter the number while it's viewable, then you've missed your window of opportunity, because it was only good for one minute. Oh and BTW...if you are trying to guess the code and miss it three times, regardless of length of time between guesses, it will lock your token until an admin can reset it. That's how I understand the process. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 5:44 AM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security It doesn't stop key logging per se, but it renders it ineffective. The SecurID tokens use a three factor[1] authentication system, in which the third piece is a 6 digit, one time use code. That code is good for exactly 3 minutes, and once used cannot be used again. Therefore, logging the authentication process is useless, as you'll only get 2 of the 3 factors, and for the third factor, you have a 1 in 1,000,000 chance, reset every three minutes, to guess that last part. Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] They call it 2 factor, but you need a username, a PIN, and the securID token number to log in - that's either 3 or 11, depending on how much of a geek you are. :::: snip :::: _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
