two-factor authentication 和SecurID

Two-factor authentication (TFA or 2FA) means using two independent means of evidence to assert an entity's identity to another entity. Two-factor authentication is commonly found in electronic computer authentication, where basic authentication is the process of a requesting entity presenting some evidence of its identity to a second entity. Two-factor authentication seeks to decrease the probability that the requestor is presenting false evidence of its identity. The number of factors is important as it implies a higher probability that the bearer of the identity evidence indeed holds that identity in another realm (ie: computer system vs real life). In reality there are more variables to consider when establishing the relative assurance of truthfulness in an identity assertion, than simply how many "factors" are used.

Two-factor authentication is often confused with other forms of authentication. Two factor authentication implies the use of two independent means of evidence to assert an entity, rather than two iterations of the same means. "Something one has", "something one knows", and "something one is" are useful simple summaries of three independent factors. In detail these factors are,
what the requestor individually knows as a secret, such as a password or a Personal Identification Number (PIN)
what the requesting owner uniquely has, such as a passport, physical token, or an ID-card
what the requesting bearer individually is, such as biometric data, like a fingerprint or the face geometry.

It is generally accepted that any independent two of these authentication methods (e.g. password + value from a physical token) is two-factor authentication. The accepting identity may use these facts (among other criteria) as a truth upon which to grant or deny the requestor's access to a sensitive data set or physical area. The requestor may be a person or computer system agent acting on behalf of a person.

Another independent means that is becoming more practiced in computer systems is "how one behaves", although it is more often used as a decision point for transactions or to de-authenticate an entity than to establish initial truth in identity.

------------------------------------------------------------------------------------------------------------------------------------------------

RSA SecurID is a mechanism developed by RSA Security for performing two-factor authentication for a user to a network resource.

 

The RSA SecurID authentication mechanism consists of a "token"—a piece of hardware (e.g. a token or USB) or software (e.g. a "soft token" for a computer, PDA or cell phone)—assigned to a computer user that generates an authentication code at fixed intervals (usually 30 or 60 seconds) using a built-in clock and the card's factory-encoded random key (known as the "seed" and often provided as an ASCII file). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased. The seed is typically 128 bits long. Some RSA SecurID deployments may use varied second rotations, such as 30-second increments.[citation needed]

The token hardware is designed to be tamper-resistant to deter reverse engineering. Despite this, public code has been developed by the security community allowing a user to emulate RSA SecurID in software, but only if they have access to a current RSA SecurID code, and the original RSA SecurID seed file introduced to the server.[1] In the RSA SecurID authentication scheme, the seed record is the secret key used to generate one-time passwords. "Soft tokens" are merely commercial software implementations of the same algorithms implemented in the tamper-resistant hardware, only the soft tokens require the seed record to be distributed to clients so that the seed record may be used as input in the one-time password generation. Newer versions also feature a USB connector, which allows the token to be used as a smart card-like device for securely storing certificates.[2]

A user authenticating to a network resource—say, a dial-in server or a firewall—needs to enter both a personal identification number and the number being displayed at that moment on their RSA SecurID token. Some systems using RSA SecurID disregard PIN implementation altogether, and rely on password/RSA SecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access.[citation needed]

On systems implementing PINs, a "duress PIN" may be used—an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication.[citation needed]

While the RSA SecurID system adds a strong layer of security to a network, difficulty can occur if the authentication server's clock becomes out of sync with the clock built in to the authentication tokens. However, typically the RSA Authentication Manager automatically corrects for this without affecting the user. It is also possible to resync a token manually in the RSA Authentication Manager. Providing authentication tokens to everyone who might need to access a resource can be expensive (about $15 per year + licencing costs), particularly since tokens are programmed to "expire" at a fixed time, usually three years, requiring purchase of a new token.[citation needed]

RSA SecurID currently commands over 70% of the two-factor authentication market (source: IDC) and 25 million devices have been produced to date. A number of competitors, such as VASCO, make similar security tokens, mostly based on the open OATH HOTP standard. A study on OTP published by Gartner in 2010 mentions OATH and SecurID as the only competitors.[3]

RSA Security has pushed forth an initiative called "Ubiquitous Authentication", partnering with device manufacturers such as IronKey, SanDisk, Motorola, Freescale Semiconductor, Redcannon, Broadcom and BlackBerry to embed the SecurID software into everyday devices such as USB flash drives and cell phones, to reduce cost and the number of objects that the user must carry.[4]

Other network authentication systems, such as OPIE and S/Key (sometimes more generally known as OTP, as S/Key is a trademark of Telcordia Technologies, formerly Bellcore) attempt to provide the "something you have" level of authentication without requiring a hardware token.