RSA Software Token for iPhone

RSA SecurID Logo

Since the 6th of June, a great application is available (for free) in the AppStore. RSA released an iPhone version of its software token!

I already spoke about strong authentication on this blog. To resume, strong authentication is achieved by mixing at least two different types of authentication methods from the following list:

  • Something you know (a password or a PIN code)
  • Something you have (a key, a token)
  • Something you are (your fingerprint, your retina, your hand, voice, …)

Strong authentication is also called multi-factor authentication. There are commercial products like the RSA SecurID but there are also solution less expensive, based on open code and very affordable hardware like the Yubikey (example: Strong authentication on Linux).

Click to enlarge
Click to enlarge

A token is a piece of hardware which generates an OTP (“One Time Password“). To log into a system, you need a login, the OTP generated by your token (and sometimes a PIN code). RSA provides a lot of hardware tokens.

The OTP is valid during a small period of time (like one minute). That’s why time synchronization is mandatory between the tokens and the authentication device.

Even if the tokens are small enough to be easily carried (in a pocket, on a keyring), they remains an extra piece of hardware to always bring with you! Why not use another device that we always carry? Like a mobile phone! Modern mobile phones have enough resources (CPU, memory), have Internet connectivity and are synchronized via NTP.

For a long time, a Java RSA SecurID was available for mobile phones or any device running a Java VM. For a few days, the same application is available for the iPhone!

Click to enlarge
Click to enlarge

The application is available for free and quite easy to implement with your existing RSA infrastructure. My company provides RSA tokens to connect to SSL or IPSEC VPNs. That was a good opportunity to perform some test with my iPhone.

I asked my local admin (thanks Steven!) to create and assign a new software token to my account and I received an e-mail with a link like this:

com.rsa.securid.iphone://ctf?ctfData=xxxxxxx

Note: If your local admin uses Outlook to send you the token URL, it will be incorrectly formated! (an extra “/” will be added: “ctf/?ctfDate=” and will prevent the RSA iPhone application to install the token). For more details, read this blogpost.

Read the received e-mail on your iPhone and open the link. The RSA application will be started and automatically install the token. Once done, the next steps will depend on your local RSA installation. Check with your local admin for details. In my case, the token was configured in “new-pin” mode. During the first authentification, the system asked me to configure a PIN code.

More details are available on the RSA website.

5 comments

  1. What’s the best way to secure them and be able to control/ log them in a sensitive enviornment?

  2. No, you have to buy the software tokens. You can’t convert from hardware token to software token without buying the tokens.

  3. Thanks Yasushi,

    I think what i want clarification on is it possible to move from the hardware token method (SID700) to the software token method (iPhone) without any further purchasing of anything?

    Thanks πŸ™‚

  4. Hi Chris,

    if you are using the SID700 tokens, which are obviously hardware tokens, then you do not need any software token. But, what your admin needs is the seed files (.XML files) for the appropriate tokens in order to be able to import the token into the RSA database.

    Rgrds,
    YK

  5. We use the SID700 currently, and my admin is saying that he needs a special ‘software’ token to implement this. Is he telling the truth and this is something he cannot generate free of charge from existing infrastructure, or just bullshitting me so that i go away πŸ˜€

    thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.