On Wed 23 November, 2005 15:37 Thomas Kern wrote: > Management is looking at having ALL system administrators use > 2 part authentication. One product that is prominent in their > discussions is RSA's SecurID. Their website lists components > for Windows, Solaris, AIX and Intel-based Linux. My boss is > going to ask them if they support systems on IBM zSeries platforms. > > Has anyone else had experience with this product even without > their mainframe systems being part of the setup?
I have some experience with RSA tokens. Keep in mind that there are several prominent vendors of tokens and related two-factor authentication and One Time Password (OTP) solutions in addition to RSA. It pays to evaluate not only the vendors and their software, but also their business model. Do they make their money on the actual tokens, or on proprietary server software, or on some other basis? Can you buy additional tokens from another source or are you locked in? Conversely, can you use their tokens with another server? Is the server priced by user in addition to the cost of the tokens, or by number of connected endpoints, or some other model? How long do tokens last, i.e. do they expire by design before their natural battery life? etc. etc. What sort of user and token database is used, and how is it administered? Does the database itself have to live on a particular server (perhaps even vendor supplied hardware), or can it be something you already have? Disclosure here: I work for a company (Proginet Corporation) that is a reseller of Vasco tokens, and we supply software that allows those tokens to be authenticated against mainframe security systems (RACF, ACF/2, and Top Secret). We also support RSA and several other token brands. We do not currently have VM-based server software, but we support authentication from a wide variety of endpoints, e.g. web servers, UNIX and Windows boxes, routers, gateways, and so on. And there are APIs in Java and other languages if you want to write your own. Enough sales pitch - I'm in development, not sales. RSA makes quality tokens and software, and using their products will certainly provide a big security improvement over simple passwords. But you should also evaluate alternatives and look at the pricing models and overall architecture very carefully. Regards... Tony H.
