Glossary>RSA SecurID

RSA SecurID

RSA SecurID is a two-factor authentication (2FA) solution that uses time-based one-time passcodes generated by a hardware or software token to verify user identity.

RSA SecurID is one of the most widely deployed enterprise 2FA solutions, trusted by over 25,000 organizations globally including Fortune 500 companies.The RSA SecurID algorithm is based on time-synchronized OTP (TOTP) standards, aligned with RFC 6238 for industry-compatible time-based one-time password generation.Enterprise adoption of hardware token-based 2FA like RSA SecurID has been shown to reduce account takeover incidents by over 99% compared to password-only authentication.

What is RSA SecurID?

RSA SecurID is a two-factor authentication (2FA) solution developed by RSA Security (a Dell Technologies subsidiary). It requires users to provide both their password and a dynamically generated numeric code from a SecurID token to authenticate. The token — available as a hardware device (key fob with an LCD display) or a software application (mobile app) — generates a new code every 60 seconds using a time-synchronized algorithm.

How the token works. Each SecurID token has a unique seed (symmetric key) embedded during manufacturing. The token combines this seed with the current time to generate a one-time passcode using the RSA proprietary algorithm (or the open TOTP standard). The authentication server, which knows the same seed, independently calculates the expected code. If the user's entered code matches, access is granted. The time window accounts for clock drift between the token and the server.

Enterprise deployment. RSA SecurID is commonly deployed as part of enterprise VPN access, remote desktop gateways, and privileged access management systems. Organizations using RSA SecurID typically deploy RSA Authentication Manager — a centralized server that manages tokens, sets authentication policies, and provides logging and reporting. The solution supports both on-premises and cloud-based authentication architectures.

Analogy

RSA SecurID is like a parking garage gate that requires both your key card (password) and a unique code from a tiny display on your keychain that changes every 60 seconds. Even if someone steals your key card, they cannot get in without the currently displayed code.

Types and Use Cases

  • Corporate VPN access: Remote employees use RSA SecurID tokens as a second factor when connecting to corporate networks via VPN, ensuring only authorized personnel gain network access.
  • Privileged account protection: System administrators and IT staff use SecurID tokens to protect access to critical servers, databases, and management consoles.
  • Regulatory compliance: Financial services, healthcare, and government organizations deploy RSA SecurID to meet 2FA/MFA requirements under PCI DSS, SOX, HIPAA, and other regulations.
  • Third-party vendor access: Organizations issue temporary software tokens to contractors and vendors who require time-limited access to internal systems and applications.

How it Works

1
User initiates login and enters their username and password on the authentication prompt.
2
User reads the current 6-8 digit code displayed on their SecurID hardware token or authenticator app.
3
User enters the code into the second factor prompt alongside their password.
4
Authentication server validates the password, then independently computes the expected token code using the user's seed key and current time.
5
If both password and token code match, the server grants access and logs the successful authentication event.
terminal
{
  "authenticationRequest": {
    "username": "john.doe@company.com",
    "password": "********",
    "otpCode": "847291",
    "tokenType": "RSA_SecurID"
  },
  "authenticationResponse": {
    "authenticated": true,
    "sessionToken": "eyJhbGciOiJSUzI1NiIs...",
    "authenticationFactors": ["password", "rsa_securid_otp"],
    "tokenSerial": "RSA-12345678"
  }
}

RSA SecurID vs Symantec VIP

RSA SecurID
Symantec VIP

RSA SecurID uses proprietary time-synchronized tokens and its own Authentication Manager server infrastructure

while Symantec VIP uses credential-based OTP generation tied to a consumer-grade mobile app and cloud validation service.

RSA SecurID hardware tokens have no batteries and no connectivity, relying solely on time-sync algorithms

while Symantec VIP credentials are stored in a mobile app that requires device connectivity for initial activation.

RSA SecurID has a longer enterprise heritage and deeper integration with legacy systems like VPNs and terminal servers

while Symantec VIP offers broader consumer application support and cloud-native architecture.

Best Practices for RSA SecurID

  • Use software tokens for convenience, hardware tokens for high security — software tokens are easier to deploy at scale, while hardware tokens provide air-gapped security for privileged accounts.
  • Plan for token lifecycle management — procure, activate, distribute, and retire tokens systematically. Set expiration policies and maintain a buffer of spare tokens for emergency replacements.
  • Enable self-service token reset — allow users to reset or re-register tokens through a self-service portal to reduce help desk calls for lost or expired tokens.
  • Monitor token usage and failed attempts — set up alerts for repeated failed OTP entries, which may indicate a token cloning attempt or brute-force attack.

How LoginRadius Powers RSA SecurID

LoginRadius supports RSA SecurID as part of its multi-factor authentication (MFA) integrations. Organizations using RSA Authentication Manager can configure LoginRadius to require RSA SecurID tokens as a second authentication factor for logins and sensitive transactions. The integration supports both hardware and software tokens, providing a seamless MFA experience while maintaining compatibility with existing RSA SecurID deployments.

Resources

FAQs

Yes. RSA offers software-based SecurID tokens as mobile apps for iOS and Android. The app generates the same time-based codes as a hardware token. Organizations can push software tokens to user devices through the RSA Authentication Manager or integrate with enterprise mobile device management (MDM) solutions.

If a hardware token is lost, the administrator can deactivate it in RSA Authentication Manager and issue a replacement. Users can be assigned a temporary one-time bypass code or use a software token while waiting for a replacement hardware token. Organizations should have established procedures for emergency token replacement.

LoginRadius supports RSA SecurID as a multi-factor authentication method through its MFA integration framework. Organizations can configure RSA SecurID as a second factor during login, registration, or sensitive operations. The LoginRadius platform handles the token validation workflow while providing centralized MFA policy management and user enrollment flows.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!