CA Courts SecurID Customers

Who said hardware authentication tokens are infallible? CA's new program contrasts the advantages of its software-based approach with RSA Security's hardware-based SecurID model.

CA Technologies Inc. (CA) announced a new "trade-in" program designed for users of RSA Security's SecurID authentication tokens.

RSA Security confirmed that its SecurID system -- which is widely used by both private enterprises and government organizations -- has been compromised. SecurID uses hardware tokens. CA's offering doesn't and the company says RSA customers can exchange their SecurID tokens on a one-to-one basis for its ArcotID software tokens. All told, CA promises shops a three-year enterprise license for ArcotID and its Arcot WebFort authentication server.

The only catch: customers have to pay maintenance costs.

"Hardware tokens are a security mechanism whose time has expired. The inconvenience of carrying an additional key fob or device for today's increasingly mobile workforce is not practical, and the difficulty of remediation in case of a hardware token breach can be overwhelming," said Ram Varadarajan, general manager for CA Arcot Security Solutions, in a statement. "For the past 13 years, the Arcot technology has delivered advanced authentication using secure software credentials as a proven alternative to hardware tokens."

CA officials sought to contrast the advantages of ArcotID's software-based approach with RSA Security's hardware-based SecurID model.

"In the event of a security breach, a software-based authentication approach provides a speed advantage by allowing organizations to immediately reset the credential. Users would then self-provision a new, and potentially larger, private key the next time they log in," the CA release says.

The use of a software credential (such as ArcotID) isn't without risk, however. Critics have charged that software tokens can more easily be counterfeited than their physical counterparts. For example, multiple copies of a software token could theoretically be created when it's first distributed (i.e., before anyone has used it); this was thought much less likely with a physical token, such as SecurID.

On the other hand, the RSA Security breach proves that this isn't impossible. While RSA hasn't confirmed exactly what happened, many security experts believe that an attacker got hold of an internal database that maps the serial numbers of RSA's SecurID tokens to the master "seeds" used to generate each token's unique key. If this is in fact the case, an attacker could conceivably "counterfeit" a SecurID credential to gain unauthorized access to a system.

Practically speaking, this wouldn't be an easy proposition. For one thing, for example, an attacker is going to be constrained by the access level of the user she's trying to impersonate; to gain root-level access to a system at the Pentagon, for example, an attacker would need to know the specific serial number of a key that's assigned to a user with root-level privileges.

For this reason, RSA advised its customers to safeguard their token serial numbers.

Industry watchers applaud CA's ingenuity -- to say nothing of its cheekiness -- but doubt very many customers will make the switch. "How many converts CA will capture is difficult to predict. Vendors often try to use displacement programs to lure new customers, but more often garner headlines," writes Larry Walsh, president and CEO of The 2112 Group, a technology advisory firm that specializes in VAR and channel relationships, on his company blog. "While enterprises may be wary of security in the wake of the RSA breach, few will easily adopt a competitive platform given their legacy investment in SecurID."

This isn't to say CA's trade-in program will be for naught. For example, "vendors and solution providers engaged in displacement programs are often conversation starters. They're a good excuse to talk about products and capabilities, but many times will lead to a separate engagement and not necessarily a displacement," Walsh said.

"Are displacement programs worth the effort? They're great for vendors and solution providers who are looking to start conversations. But do they produce results in vast numbers? Perhaps in less complicated systems. It's hard to quantify the value of raised awareness, but programs such as CA's will definitely get an alternative offering on the radar."

comments powered by Disqus