If you’re interested in authentication, or in how economic incentives impact security architectures, this is definitely worth reading:
Hitachi ID Systems Blogs
Archive for March, 2011
It will be interesting to see if the recent, successful attack against RSA revealed the seeds used to initialize RSA tokens. If so, those tokens are basically useless now – providing just 1 factor of authentication.
The big lesson here is not about RSA or even tokens per-se. It’s about concentration of risk. If the security of every one of the millions of RSA tokens issued to thousands of organizations around the world depends on the security of a single set of seed numbers, then it follows that there is too much trust vested in a single organization’s ability to protect a single (and small) data set.
Far better for each RSA customer to initialize its own tokens, using its own seed numbers. This way, a compromise would only impact that organization’s tokens – not anybody else’s. Limited harm.
I wonder if RSA would or even could change the SecurID token architecture to allow organizations to implement their own number sequences?