BOX 5.3
SecurID

RSA Security (formerly Security Dynamics) markets a challenge/response card. This card, trademarked SecurID, contains a built-in clock and a liquid crystal display. Rather than requiring the user to obtain a challenge from a host computer, the challenge is implicitly the current time. To gain access, the user merely enters a user ID and then enters the current number displayed on the card. The number displayed changes periodically, usually every 30 seconds to 1 minute depending on the card configuration.

The SecurID has become quite popular in some contexts. It is relatively easy (though not especially convenient) to use, it requires no special hardware, and it is easily integrated with existing, password-style authentication software. Some versions of the card require the user to enter a PIN into the card (where it is combined with the card-resident key), making this into a two-factor authentication system. In this case, even if an adversary acquires a card, the ability to impersonate the affected user depends on guessing the PIN. If the usual practice of monitoring failed log-in attempts is being followed, an adversary guessing PINs for use with a captured card will probably be detected prior to guessing the PIN.