Posts | Adam Shostack (@adamshostack@infosec.exchange)

@adamshostack @thedarktangent @tychotithonus

SecurID was TOTP plus two elements of secret sauce. The first was that they supplied a complete environment, not just gadgets—host software, database management software, easy administration for sites with lots of them, etc. (That can pose problems—see https://www.cs.columbia.edu/~smb/blog/2011-03/2011-03-18.html.)
The other ingredient in their secret sauce was more subtle. They understood clock drift, a serious problem in the days before universal connectivity and NTP servers. Security Dynamics (the original company behind it) handled this in two ways. First, they allowed a 5-minute window on either side of the server's time. Second, they measured the drift of each device. Suppose you log in once, then again a week later, and the value of two minutes earlier than the current server time is what matches. The server end would note, and record, that your token's internal clock lost two minutes per week. They'd scale the current time accordingly for the next time you logged in.
One final note: the battery lasted about three years and wasn't replaceable—if you tried, the device's tamper protection circuitry would zeroize the key. Why wasn't it longer-lived? They matched the battery lifetime to an estimate of the physical lifetime of the device, a serious issue for the original SecurID tokens, which were credit-card size but much thicker, and susceptible to bending.

Welcome to Elk!

Elk is a nimble Mastodon web client. You can login to your Mastodon account and use it to interact with the fediverse.

Expect some bugs and missing features here and there. Elk is Open Source and we're actively improving it as a community project. Join us and let's build it together!

If you'd like to report a bug, help us testing, give feedback, or contribute, reach out to us on GitHub and get involved.

To boost development, you can sponsor the Team through GitHub Sponsors. We hope you enjoy Elk!