RSA Security Doohickey

AllieVi

SatelliteGuys Pro
Original poster
Sep 11, 2003
943
0
Temecula, CA (area)
I got one of the RSA gadgets (about the size of a key) that generates a random 6-digit number every minute to use with my stock market trading accounts. I append the 6-digit number to my account password. The gadget is marketed for other uses, too (my brother’s access to a real estate database requires it).

I am wondering if a single gadget could be tied to multiple services. My bank doesn’t offer this option, but if it did, could I use the gadget I already have? Someone with deeper knowledge of the gadget workings should know.

I wasn’t sure I wanted to use the thing, but have found it to be worthwhile. It reduces the likelihood that anyone could hack into my account by guessing or even knowing my “root” password since the complete password changes each minute.
 
They are tied to the provider. They need to match against that providers master.

I.E. you'd have multiple different RSA fobs.
 
If other programs could duplicate the sequence of numbers it would defeat the purpose of the device. That is why it cannot be shared among other computers/services.
 
Each token is unique - I don't see how you will defeat the purpose of it if you must register it with each instance of RSA server. It could be done and no harm occur for multiple peers.
The token belong to you and you are responsible for use it; actually there is additional level security - your personal PIN code as a part of verification plus the 6 digits.Simple analogy - sort of SSN what only you can see on special paper ( sensitive to your brain waves ;) ) - we still use the SSN for an authentification at many places.
 
Last edited:
I’m making some assumptions about how the system works. I’d expect my broker doesn’t actually “know” this minute’s correct key, but queries the RSA site to determine that I’ve entered a good one based on my item’s 9-character serial number. If it works that way, any service that knows the serial number could also do a verification. RSA could then sell its verification of a single device to many retailers. Only the retailers would know who is associated with a particular device.

I would imagine that RSA has developed its system in such a way that a person would only have to carry one device. People won’t be interested in carrying a pocketful of them to access different services. Any company that wants to initiate RSA security would simply need to know the serial number of the device if a customer already has one. Widespread use of the system would be encouraged if the same gadget could be used for multiple services.

Keep in mind that the 6-digit code is not the entire account password, just the digits I append to the “root” password.
 
Me too ( and managing Kerberos servers at couple companies ), but point is - many servers could have registration of one RCA token and serve the owner for different services without problem !
 

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)

Who Read This Thread (Total Members: 1)

Top