RealTime IT News

A Better iPhone for the Enterprise?

RSA today officially released its RSA SecurID Token for iPhone product. The SecurID Token has actually been available unofficially on the iPhone App Store since last month for those who could find it.

The product delivers RSA's one time password software token to the iPhone and two factor authentication to protected services. A similar software product is available for such other popular mobile phones as the BlackBerry, Windows Mobile system, and Java-based phones. RSA developed a software token product for Verizon's Brew phones as well.

Most IT organizations use it to authorize access to the VPN, Rachael Stockton, RSA principal product marketing manager, told InternetNews.com. Some have built specialized mobile VPNs for the purpose, and this could be a nascent trend.

"When a mobile VPN becomes hot, that changes the hardware category," she said. "People really use their smart phones as mini computers."

Although pitched primarily to consumers, the growing sales of iPhone in the enterprise demonstrates the growing influence end users are having over corporate purchasing. "This is part of the consumerization of IT," said Stockton. "There's a lot of pressure on IT to support the iPhone. End users love the slick iPhone interface, and it's convenient for them."

Lower costs

IT gets some benefits from the software token. "IT managers like to lower costs. As you know, everyone is looking to cut costs," Stockton said.

She explained that software tokens are cheaper than hardware tokens at every stage. At the distribution stage, the cost of sending out a software token is the cost of an e-mail, compared to a UPS, FedEx, or DHL package for a hardware token.

Later, many hardware tokens are lost. If a device with a software token is lost, the company has not lost the token. "Even if you lose the BlackBerry or iPhone ... the IT organization can revoke the software token and put it back in the pool and re-apply it," she said.

But she admitted that while software tokens are becoming increasingly popular, RSA still sells more hardware tokens.

How it works

Stockton explained that a one time password is a system consisting of a seed, an algorithm, and a time stamp. The seed is stored on the mobile device and inside the firewall on the authentication server, RSA Authentication Manager.

"The RSA one-time password is time-based," she said. "Every 60 seconds, the password on the token or the iPhone changes."

She said that this system is more secure than event-based tokens, which change every time you use them, because if a phisher obtains an event-based token, they will have time to use it, perhaps 24 hours or more. "That's why we're focused on time sync instead of event sync," Stockton said.

She added that authentication generally takes a few seconds.

If the 60 seconds expire while a user is entering the code, the system can be programmed by IT to give them some extra time or it can go into "next token code mode" in which case it will ask for the next code.

The security product uses AES 128-bit encryption and requires the latest version of iTunes.


Pricing depends on volume of tokens orders and also on the period of time they are ordered for. They are available in 1, 2, 3, 4, 5, and 10 year versions. Stockton said that the 3 year and 10 year options are the most popular. "Three years is the average life of hardware," she said.

List price for a one year token starts at $25.