Suficiencia presupuestaria

Important: You should disable lost or stolen tokens immediately. If an RSA SecurID token and its PIN are stolen, an unauthorized user will be able to gain access to your system.

All users must be instructed to report a stolen or missing token to an administrator without delay. RSA Security recommends that the administrator disable the token immediately. (Another, less secure, option is to assign the user a temporary password.

Use of this feature depends on your security policy. For more information, see

“Temporary Passwords to Replace Lost Tokens” on page 128.)

Unfortunately, an unauthorized person may gain possession of a token and start using it before the authorized user reports it missing. The RSA Authentication Manager evasion-of-attack features help maintain security in such a case.

If someone tries to use a stolen token to break into your system, the Authentication Manager can detect the attack, deny access, and disable the token. However, this feature offers no protection against an intruder who manages to obtain both a user’s PIN and RSA SecurID token.

6: Registering Users for Authentication 127 Therefore, the following measures are essential:

• All users must protect the physical security of their tokens and the secrecy of their PINs.

• You must respond immediately to disable missing tokens and compromised PINs.

To Begin: Click Token > Edit Token. Select the token to open the Edit Token dialog box.

• To disable a token, clear the Enabled checkbox.

• To disable a PIN, click Clear PIN. (For more information, see “When a PIN Is Stolen or Otherwise Compromised” on page 129.)

For directions, click Help.

Evasion of Attack with a Token

The RSA Authentication Manager disables tokens used in consecutive failed authentication attempts as follows:

• Tokens that require the tokencode and PIN to be entered separately (the RSA SecurID standard card and key fob) are disabled after three consecutive attempts in which a valid tokencode is entered with an incorrect PIN. (This limit cannot be changed.)

• All tokens regardless of type are disabled after a certain number of consecutive failed authentication attempts. This number can be set for each Agent Host type, but setting it higher than three does not change the rule described in the previous item.

Note: These features are not supported on legacy Agent Hosts.

If a user has multiple tokens, the Authentication Manager does not distinguish which token has been used improperly. A failed authentication attempt with one token is counted against all tokens. A successful authentication clears the count only for the token that was authenticated successfully. Failed attempts can therefore accumulate and cause all or nearly all of a user’s tokens to be disabled at the same time.

Consider two examples with multiple tokens. In each example, the Authentication Manager is configured to disable a token after four consecutive failed authentication attempts, and the user has three tokens, A, B, and C, each with three consecutive failed attempts already counted against it.

• The user attempts to log on with token A and mistypes the passcode. The

Authentication Manager disables all three tokens (A, B, and C), because the failed attempt increases the count for each token from three to four.

• The user logs on with token C and is authenticated successfully. The system clears the failed authentication attempt count for token C, but tokens A and B still have three failed attempts counted against them.

On the next attempt, the user again logs on with token C, but mistypes the passcode. Token C now has one failed authentication attempt counted against it, but tokens A and B now have four. The Authentication Manager therefore disables tokens A and B.

RSA Authentication Manager 6.1 Administrator’s Guide

128 6: Registering Users for Authentication

Temporary Passwords to Replace Lost Tokens

When a user loses a token, RSA Security recommends that you disable the token.

However, depending on your organization’s security policy and the user’s security requirements, you can allow a user continued access while looking for a lost token by assigning the user a temporary password. There are two types of temporary

passwords:

• A single “fixed” temporary password that can be used repeatedly until it expires

• A set of several “one-time” temporary passwords that can be used only one time each and that all expire on a specified date

A user authenticates with a temporary password by entering his or her PIN and the temporary password at the Enter passcode prompt. Procedures and requirements associated with the use of PINs still apply.

Not gaining access with a temporary password updates the count of consecutive failed logon attempts for the Lost token. Successfully authenticating resets this count to zero.

Like any other token, a Lost token is automatically disabled after a certain number of consecutive failed authentication attempts.

Before you can assign a temporary password, you must define the token status as Lost. When the token is found, you must change the token status to Not Lost before the token can be used for authentication. Changing the token to Not Lost also disables any temporary passwords you may have created for the token. When you change a token status from Lost to Not Lost, the Authentication Manager informs you of any one-time passwords that were removed.

To Begin: On the Token menu, click Edit Token to select the token and open the Edit Token Dialog box. For instructions, click Help.

• To change token status, click Edit Lost Status.

• To assign passwords, select either Fixed Password or One-Time Password Set as the authentication method. Then click Set up Passwords.

Lost tokens are counted as part of the token statistics and can be listed in a separate report. Lost tokens can be exported, but their Lost status is not preserved.

Note: A temporary password is different from a user password, which the

Authentication Manager treats as a type of token. You can assign a user password as the user’s standard means of authentication. For more information, see “User Password Token” on page 15.

Emergency Access for Users of Offline Authentication

If you have deployed offline authentication for offsite users whose computers are not connected to your organization’s network, there are a number of situations in which you can provide them emergency access. For information, see “Enabling Emergency Access for Offline Authentication Users” on page 62.

6: Registering Users for Authentication 129