For some time, RSA Security Inc. has had two-factor authentication that works with Windows. Now, SecurID for Windows, a new offering, fully integrates with Microsoft Corp.s Active Directory and enables domain-level access management along with new offline capabilities.
Click here to read the full review of SecurID for Windows.
2
For some time, RSA Security Inc. has had two-factor authentication that works with Windows. Now, SecurID for Windows, a new offering, fully integrates with Microsoft Corp.s Active Directory and enables domain-level access management along with new offline capabilities.
IT managers who already use RSAs SecurID for VPN, Unix/Linux or Web servers should consider using SecurID for Windows in areas where strong authentication and reliable audit logs are needed.
SecurID for Windows started shipping earlier this month. Pricing for two-factor authentication systems varies widely based on the number of users. For example, SecurID for Windows for 1,000 users is priced at $107 per user and includes 1,000 RSA SecurID tokens, an RSA Authentication Manager license for 1,000 users and one year of maintenance. Current RSA customers with active support contracts can upgrade at no added cost until March.
Using the least expensive hardware tokens, CryptoCard Corp.s Crypto-Server 6.1 costs roughly $75 per user for 1,000 users.
The biggest cost differentiator is the tokens that users carry. RSAs token is a sealed unit that is purchased based on guaranteed operation for two to five years. In contrast, CryptoCards token has a user-serviceable battery. Tokens from competitor Aladdin Knowledge Systems Ltd. use a USB (Universal Serial Bus) device and need no battery. Since our experience is that users are notoriously bad at hanging on to hardware tokens, we think IT managers using any token system should plan to have plenty of replacements on hand.
Testing at eWEEK Labs showed that IT managers should need only a couple of hours to get SecurID for Windows up and running. We advise working closely with RSA service staff to create access policies that work for the organization. One policy decision that merits careful consideration is how long users should be able to work offline—if at all.
We used the work-offline capability on a laptop that was disconnected from Authentication Manager (which longtime RSA users know as ACE/ Server.) Previous RSA support for Windows required that the computer be connected to the server. During tests, we easily generated files that stored a one-way hash of the product of the RSA-generated passcode. The seed, the value that was used to create the code, is not stored on the local machine. This is stored on Authentication Manager and in the token codes. This let us authenticate using our token while away from the network.
The trade-off for the capability to work offline is that hash file contents are time-limited. SecureID for Windows creates a separate file for every day. We set up our work-offline feature to function for 14 days at a stretch.
The downside of the current implementation of the work-offline feature is that it applies to all users without exception. We hope that RSA in the future provides a facility for IT managers to create groups of users who can have work-offline settings, adjusted independently.
SecurID for Windows is designed to protect network-connected data assets, although it will also protect access to the local desktop or laptop Windows systems. In tests, SecurID for Windows did a fine job of this, especially when we forgot our PIN or misplaced our token.
Technical Director Cameron Sturdevant can be reached at [email protected].
Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page