CA Capitalizes on RSA SecurID Breach with a Token Trade-in Program

CA Technologies is offering all RSA SecurID token customers an opportunity to trade their hardware tokens for CA ArcotID secure software credentials in a one-for-one swap.

One company's misery is another's opportunity. CA Technologies is reaching out to jittery RSA customers with a trade-in deal: SecurID tokens for CA ArcotID secure software licenses.

Ever since RSA Security's executive chairman Art Coviello disclosed on March 17 that attackers had successfully breached the companys networks and stolen information related to the company's SecurID two-factor authentication technology, customers have been worried about the security of their SecurID deployments.

"Those hardware tokens have no upgrade path and would have to be replaced," said Bruce Schneier, chief security technology officer at British Telecom. If customers feel that SecurID is compromised, they are likely to replace them with competing products, he said on his Schneier on Security blog.

CA Technologies made its move with a limited-time swap program that allows RSA customers to receive three-year enterprise licenses for CA ArcotID secure software credentials for every RSA SecurID tokens traded in. Customers will also receive the CA Arcot WebFort authentication server, CA announced on March 29. The program will run till Sept. 30.

Assuming that the attackers stole the seed values used to generate the one-time passwords on the SecurID tokens, a number of security experts have speculated that RSA customers will need to replace all deployed hardware tokens to prevent attackers from using the seed values to break in to secure networks.

CA's offer may seem pretty attractive to RSA customers, as the company promised the only cost to the making the switch was on-going maintenance. In contrast, replacing these tokens with new ones from RSA could be an expensive proposition for customers.

"The difficulty of remediation in case of a hardware token breach can be overwhelming," said Ram Varadarajan, general manager for CA Arcot Security Solutions at CA Technologies. He noted that a compromise in a hardware token requires the company to deploy a new token, which could be costly, time-consuming and inefficient.

The CA ArcotID software credential can be easily and securely downloaded using "cryptographic camouflage technology," CA said. In the event of a security breach, organizations would be able to reset the credentials immediately and users would just self-provision a new private key on their next logon, according to the company.

With CA ArcotID technology, each organization creates, manages and stores its own private keys for all its own users. Since CA Technologies holds no information about individual credentials, there's no chance of the company compromising customer data, CA said.

CA ArcotID works across multiple applications and environments and IT departments have the option to store the actual credentials on a client device, such as a PC, laptop, tablet or smartphone, CA said. With an increasingly mobile workforce, expecting employees to carry an additional key fob or device was "not practical," according to Varadarajan.

"Hardware tokens are a security mechanism whose time has expired," Varadarajan said.

The potential gain for CA is pretty significant. The company claims nearly 30 million users for CA ArcotID. Contrast that with SecurID, which is used by over 25,000 customers including large enterprises, financial institutions, and government agencies. An estimated 40 million SecureID physical tokens and 250 million software-based tokens have been deployed.