Many corporations rely on RSA's SecurID as part of its data security solution. Even the U.S. Department of Defense uses EMC's RSA SecurID technology.
In a somewhat frightening development, EMC has revealed that it's been hacked. Those using the RSA authentication technology need not go into a full panic just yet, as EMC doesn't believe that the information stolen creates a full hole.
Art Coviello, Executive Chairman of RSA, wrote in an open letter to customers:
SecurID is a time-based one-time password authentication technology that's been in use for well over a decade. You carry a device which provides a continuosly changing code (often displayed onscreen). You add a PIN number to this (a step handled in adifferent ways), and then type the result into a webpage, VPN login, etc. A server running an algorithm within the target for access evaluates your entry, and decides if it's valid. If it is, you're in.
It's "two factor", because you need the token and your PIN. These OTP (one-time-password) technologies are pretty good, but most have flaws (SecurID is not the best, technically), and all pale in comparison with PKI authentication.
So a company that specializes in security got the crap hacked out of them and no one noticed until after it was done? Tell me again why anyone uses a product from this company? If I were using RSA in my company, they could expect to get their crap back.