SecurID

The RSA SecurID authentication mechanism has hardware (fob, USB token) that creates an authentication code at fixed intervals (usually one minute), with a built-in clock and encoded random key.

A popular SecurID Token is the hand-held device. The device is usually a key fob or slim card. The token can have a PIN pad, on which a user enters a personal identification number (PIN) to create a passcode. When the token does not have a PIN pad, a tokencode is displayed. A tokencode is the changing number displayed on the key fob.

Endpoint Security VPN uses the PIN and tokencode or the passcode to authenticate to the gateway.

Key Fobs

A key fob is a small hardware device with built-in authentication mechanisms that control access to network services and information. While a password can be stolen without the owner realizing it, a missing key fob is immediately apparent. Key fobs provide the same two-factor authentication as other SecurID devices. The user has a personal identification number (PIN), which authenticates that person as the owner of the device; after the user enters the correct PIN, the device displays a number that allows the user to log on to the network. The SecurID SID700 key fob is a typical example of such a device.

RSA Tokens

If you use SecurID for authentication, you must configure users on an RSA ACE management server. In addition, it is necessary to add SecurID users to a group with an external user profile account that includes SecurID as the Authentication Method.

See the SecureID RSA documentation of how to configure RSA with Check Point gateways.

Challenge-Response

Challenge-response is an authentication protocol in which one party provides the first string (the challenge), and the other party verifies it with the next string (the response). For authentication to occur, the response is validated.

Authentication Timeout

Authentication Timeout is how long a client password is valid before the user must enter it again. By default, this is one day.

To change Authentication Timeout:

  1. In SmartConsole, open the Global Properties window > Remote Access page.

  2. In Authentication Timeout, select Validation timeout and enter a value in minutes.