19. March 2011 · Comments Off on How concerned should you be about the RSA breach? · Categories: blog · Tags: , , , ,

Ars Technica provides an excellent analysis of the potential threats to users of RSA Secure-ID tokens as a result of the breach RSA announced.

RSA’s announcement was not specific in the information it gave, so exactly what this means for SecurID isn’t clear. In the likely worst case, the seed values and their distribution among RSA’s 25,000 SecurID-using customers, may have been compromised. This would make it considerably easier for attackers to compromise systems dependent on SecurID: rather than having to acquire a suitable token, they would be required only to eavesdrop on a single authentication attempt (so that they could determine how far through the sequence a particular token was), and from then on would be able to generate numbers at their whim.

The article also covers more benign, more grave, and less likely possibilities. I would think that RSA customers are receiving more precise information.

While Secure-ID is probably the most popular two-factor authentication solution, it may be worth noting that there are many other choices available from RSA and its competitors.