RSA is usually associated with token solutions, providing dynamic one-time password facilities plugged into back end authentication servers like RSA's ACE/ Server. But there are times when a token is not ideal: you have lease costs to consider, the server-side requirements are relatively high and inexperienced users can find one-time passwords tricky to handle.
Smartcards offer an alternative, providing a less bullet-proof but more flexible authentication solution. Using a Java platform, the card can be loaded with multiple identities or custom applications, keyed to specific users and providing strong authentication. The flexibility also extends to physical security, with smartcards well suited for integration into physical access control or ID badges.
SecurID Passage marks RSA's foray into the smartcard marketplace, offering Microsoft Windows based client software to authenticate and manage a compliant smart card, such as RSA's SecurID 5100. SecurID Passage supports authentication via a number of methods, including X.509 certificates, CAPI, SSL and standard card readers.
It can also be used for digitally signing and encrypting email messages, and can store multiple certificates and private key pairs from standards-based certificate authorities.
The software replaces the standard Windows logon. When the card is removed, the workstation is locked and requires re-authentication to be unlocked.
In our test, the product worked well, but the supplied documentation was disappointing. If you are investing in an RSA solution, you might expect more than a CD-ROM peppered liberally with PDF and DOC files. These invariably mean that the systems administrator must wade through them all in order to find the relevant information. And although reasonably written, this approach is in contrast to other products, which supply physical manuals and associated documentation. RSA has since informed us that it is issuing manuals with the production version of the package.
Once the system is up and running, however, the systems administrator should find it perfectly workable, although we felt the SecurID methodology seemed less intuitive than many of its newer counterparts.
These days simplicity goes a long way with end users and can help to reaffirm corporate security policies.