RSA SecurID
RSA SecurID is a two-factor authentication (2FA) solution that uses time-based one-time passcodes generated by a hardware or software token to verify user identity.
What is RSA SecurID?
RSA SecurID is a two-factor authentication (2FA) solution developed by RSA Security (a Dell Technologies subsidiary). It requires users to provide both their password and a dynamically generated numeric code from a SecurID token to authenticate. The token — available as a hardware device (key fob with an LCD display) or a software application (mobile app) — generates a new code every 60 seconds using a time-synchronized algorithm.
How the token works. Each SecurID token has a unique seed (symmetric key) embedded during manufacturing. The token combines this seed with the current time to generate a one-time passcode using the RSA proprietary algorithm (or the open TOTP standard). The authentication server, which knows the same seed, independently calculates the expected code. If the user's entered code matches, access is granted. The time window accounts for clock drift between the token and the server.
Enterprise deployment. RSA SecurID is commonly deployed as part of enterprise VPN access, remote desktop gateways, and privileged access management systems. Organizations using RSA SecurID typically deploy RSA Authentication Manager — a centralized server that manages tokens, sets authentication policies, and provides logging and reporting. The solution supports both on-premises and cloud-based authentication architectures.
Analogy
RSA SecurID is like a parking garage gate that requires both your key card (password) and a unique code from a tiny display on your keychain that changes every 60 seconds. Even if someone steals your key card, they cannot get in without the currently displayed code.
Types and Use Cases
- Corporate VPN access: Remote employees use RSA SecurID tokens as a second factor when connecting to corporate networks via VPN, ensuring only authorized personnel gain network access.
- Privileged account protection: System administrators and IT staff use SecurID tokens to protect access to critical servers, databases, and management consoles.
- Regulatory compliance: Financial services, healthcare, and government organizations deploy RSA SecurID to meet 2FA/MFA requirements under PCI DSS, SOX, HIPAA, and other regulations.
- Third-party vendor access: Organizations issue temporary software tokens to contractors and vendors who require time-limited access to internal systems and applications.
How it Works
{
"authenticationRequest": {
"username": "john.doe@company.com",
"password": "********",
"otpCode": "847291",
"tokenType": "RSA_SecurID"
},
"authenticationResponse": {
"authenticated": true,
"sessionToken": "eyJhbGciOiJSUzI1NiIs...",
"authenticationFactors": ["password", "rsa_securid_otp"],
"tokenSerial": "RSA-12345678"
}
}RSA SecurID vs Symantec VIP
RSA SecurID
Symantec VIP
RSA SecurID uses proprietary time-synchronized tokens and its own Authentication Manager server infrastructure
while Symantec VIP uses credential-based OTP generation tied to a consumer-grade mobile app and cloud validation service.
RSA SecurID hardware tokens have no batteries and no connectivity, relying solely on time-sync algorithms
while Symantec VIP credentials are stored in a mobile app that requires device connectivity for initial activation.
RSA SecurID has a longer enterprise heritage and deeper integration with legacy systems like VPNs and terminal servers
while Symantec VIP offers broader consumer application support and cloud-native architecture.
Best Practices for RSA SecurID
- Use software tokens for convenience, hardware tokens for high security — software tokens are easier to deploy at scale, while hardware tokens provide air-gapped security for privileged accounts.
- Plan for token lifecycle management — procure, activate, distribute, and retire tokens systematically. Set expiration policies and maintain a buffer of spare tokens for emergency replacements.
- Enable self-service token reset — allow users to reset or re-register tokens through a self-service portal to reduce help desk calls for lost or expired tokens.
- Monitor token usage and failed attempts — set up alerts for repeated failed OTP entries, which may indicate a token cloning attempt or brute-force attack.
How LoginRadius Powers RSA SecurID
LoginRadius supports RSA SecurID as part of its multi-factor authentication (MFA) integrations. Organizations using RSA Authentication Manager can configure LoginRadius to require RSA SecurID tokens as a second authentication factor for logins and sensitive transactions. The integration supports both hardware and software tokens, providing a seamless MFA experience while maintaining compatibility with existing RSA SecurID deployments.
Resources
FAQs
Yes. RSA offers software-based SecurID tokens as mobile apps for iOS and Android. The app generates the same time-based codes as a hardware token. Organizations can push software tokens to user devices through the RSA Authentication Manager or integrate with enterprise mobile device management (MDM) solutions.
If a hardware token is lost, the administrator can deactivate it in RSA Authentication Manager and issue a replacement. Users can be assigned a temporary one-time bypass code or use a software token while waiting for a replacement hardware token. Organizations should have established procedures for emergency token replacement.
LoginRadius supports RSA SecurID as a multi-factor authentication method through its MFA integration framework. Organizations can configure RSA SecurID as a second factor during login, registration, or sensitive operations. The LoginRadius platform handles the token validation workflow while providing centralized MFA policy management and user enrollment flows.