RSA authentication tokens can seem mystical, with the biggest mystery surrounding them being as to how such a small device that never needs charging can generate random codes the bank also knows.

Contrary to popular belief RSA SecureID hardware tokens do not have a radio receiver’s in them and don’t have anyway to communicate. In Fact they are actually more similar to a digital watch and operate on the principle of both parties knowing a shared secret, also known as symmetric key cryptography

When each RSA token is manufactured the current time is set alongside a unique 128bit ‘seed’ which is only known by the individual token and the manufacturer. Every 60 seconds the token generates a new 6 digit code using a mathematical formula containing elements of the secret seed value and current timestamp. Exactly how this algorithm works is still a secret, but what we publicly know is it’s based on a secure one way AES hash.

As the user signs in, the RSA’s authentication servers run the same formula using their copy of the same ‘seed value’ and the servers time which should generate the same code. If the codes don’t match, the server will run the same calculation but plus/minus a minute to check if the token is running a little fast or slow. Should one of those codes work the server will recognise that the built in clock of the token must have drifted and will apply a ‘token offset’ for next time.

If the codes are still not working despite a +- 1 minute correction, the server will calculate all the possible codes +- 10 minutes and try it against those. Should the code match any of these the authentication server will acknowledge it as a possible match and challenge the user by asking for the next code in the sequence to ensure it wasn’t just a lucky guess. If the code isn’t correct the user will need to contact the organisation and request a new token.

Despite these tokens working on straight-forward and relatively low-tech concepts, they are incredibly effective and significantly improve security when used for 2 Factor authentication. While not all services allow you to use RSA token, many popular services allow you to use apps like ‘Google Authenticator’ which operate very similarly.

Was this article useful and did you have any questions?
Leave us a comment below