SecurID is a mechanism developed by RSA Security for authenticating a user to a network resource.
The SecurID authentication mechanism consists of a “token” — a piece of hardware assigned to a user that generates an authentication code every sixty seconds using a built-in clock and the card’s factory-encoded random key (known as the “seed”). The seed is different for each token, and is loaded into the corresponding SecurID server (the “ACE Server”) as the tokens are purchased.
The token hardware is designed to be tamper resistant to deter reverse engineering of the token.
A user authenticating to a network resource — say, a dial-in server or a firewall — needs to enter both a PIN (something you know) and the number being displayed at that moment in time on her SecurID token (something you have). The server, which also has a real-time clock and a database of valid cards with the associated seed records, computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access.
While the SecurID system can add a layer of security to a network, difficulty can occur if the authentication server’s clock becomes out of synch with the clock built in to the authentication tokens. However, typically the ACE Server automatically corrects for this without affecting the user. It is also possible to manually re-sync a token in the ACE server. Also, providing authentication tokens to everyone who might need to access a network resource can be expensive, particularly as the tokens are programmed to “expire” at a fixed time, usually three years, requiring purchase of a new token.
[ wikipedia ]