RSA offers to replace tainted tokens

Security firm admits Lockheed Martin attack has left customers nervous over authentication tokens

Security firm RSA is offering to replace all its widely used authentication tokens, admitting that hackers had breached its systems, obtaining information relating to its password technology.

SecurID tokens are used by thousands of firms across the globe to provide a constantly changing password that is used to authenticate users logging on to corporate systems.

RSA has now admitted it was attacked on 17 March 2011, and the hackers were able to steal information relating to those tokens.

Subsequently, the hackers used that knowledge to launch an attack on defence contracting giant Lockheed Martin.

Art Coviello has told its business customers it will replace the 40 million SecurID tokens currently in use to reduce the risk that they could be the hackers' next victims.

"We recognise that the increasing frequency and sophistication of cyber attacks generally, and the recent announcements by Lockheed Martin, may reduce some customers' overall risk tolerance," said Coviello.

SecurID tokens typically use dynamic passwords to authenticate a user - although some offer additional methods too. The dynamic passwords are generated at fixed intervals using an internal clock and a random key generator, known as the seed.

Each token has a unique seed, which allows RSA's authentication algorithm to determine whether a password has been generated by an authorised user's token.

If the hackers were able to obtain data relating to RSA's authentication algorithm and seeds, it would be possible to spoof the system.

The wholesale replacement of tokens should reassure RSA customers that the firm's authentication tokens are secure - at least for now.