To many employees, the RSA SecurID tokens are a familiar sight, as is the procedure for logging in to a TCP/IP network using a onetime dynamic password technique embodied by this approach.
The two factors here are the user PIN (chosen by the user or generated by the system) and the dynamic password viewed on the LCD display of the token, which changes approximately every sixty seconds.
The user then concatenates the two when logging on to produce the pass code. The ACE/Server, (we reviewed version 5.1, but 5.2 has since been released), is the heart of the system and has been proven with applications.
When users log in to protected resources, the ACE/Server handles this via the agent software. The server user database may be administered manually or synchronized to an LDAP database to automatically add or update individual records according to a pre-arranged schedule.
The Microsoft Active Directory, iPlanet Directory Server and Novell NDS eDirectory are all supported by this synchronization feature. The product supports various tokens including those featuring AES 128-bit operation.
The experience and expertise of RSA is reflected in the comprehensive documentation on the CDRom, the 428-page administration guide being a good example. We would prefer to see such documents included as printed manuals rather than PDF files on a CD, but printed versions are available from RSA at additional cost.
The presence and profile of this product in the marketplace is such that the name is almost analogous to two-factor authentication in many minds. There is good reason for this, as it is a mature product which has been refined and developed over time to become the proven and reliable solution represented by the current offering. If the dynamic password route is your preferred approach to two-factor authentication, then the RSA product should most certainly be on your evaluation list.