Tuesday, January 18, 2011

RSA SecurID Soft Token for iPhone - A Better Deployment Method

Working in a retail environment makes you think really hard about security, especially in light of what happened with TJ Maxx a few years ago.  Using credit cards in retail is a privilege that we only get to keep if we follow the Payment Card Industry Data Security Standard (PCI DSS). One of the requirements of PCI is related to two-factor authentication for remote-access to your corporate network, and one solution for this is RSA's SecurID authentication product.


RSA SecurID supports many form factors, both hardware fobs/cards and software-based on PCs and mobile devices. This post focuses on mobile device soft tokens, particularly iPhones.

For quite some time, the process to get a soft token on an iPhone looked something like this:
  1. User downloads RSA app from App Store
  2. Administrator log in to RSA SecurID appliance and assign soft token to user
  3. Generate CT-KIP credentials for web download, e-mail special link to user
  4. Connect user's iPhone to internal corporate network
  5. Have user open e-mail on the native iPhone app and tap the link
  6. iPhone communicates directly with RSA appliance
  7. Token is now present on iPhone
Step 4 is required because of the way RSA has locked down its current appliance. The only way for an iPhone to connect to the RSA appliance from outside the corporate firewall would be to somehow expose the appliance itself to the Internet, either directly or through a Microsoft ISA proxy server.  This is one of my big gripes about the appliance, but it's a great solution for the most part.

The most recent update to RSA's iPhone app has greatly improved the token deployment process. Now the process looks like this:
  1. User downloads RSA app from App Store (no change)
  2. Administrator log in to RSA SecurID appliance and assign soft token to user (no change)
  3. Issue token file (.sdtid) and save to desktop
  4. Use RSA-provided TokenConverter.exe on command line to convert .sdtid file to a long string of characters, then e-mail that to user
  5. Have user open e-mail on the native iPhone app and tap the link (no change)
  6. Token is now present on iPhone
The new method precludes the requirement for the iPhone to communicate directly with the appliance, which is a huge improvement. The TokenConverter.exe is available for download from RSA's website for both Windows and Linux, and also works with Android and Windows Mobile, though I'm not sure if it works yet for Windows Phone 7. Of course, the same token deployment process I've described above works for any iOS device (iPod Touch, iPad).

Kudos to RSA for improving the token deployment process! Comment below or look for me on Twitter (@swackhap).

2 comments:

  1. As of Oct 2011 the RSA link to the token converter is broken.

    ReplyDelete
  2. I wouldn't consider it a huge improvement to have the RSA admin DL the seed file then convert it and have to email the user the link.

    I'm having an issue getting CKTIP provisioning to work with the iPhone - the link in the mail client attempts to open a connection to the RSA server and I get a Axis HTTP Servlet error - normally you would be hitting this URL with a SOAP client rather than a browser

    Is my iPhone attempting to use a browser to DL the token rather than the RSA App?

    BTW I am the administrator..

    ReplyDelete