RFC 2808 (rfc2808) - Page 2 of 11
The SecurID(r) SASL Mechanism
Alternative Format: Original Text Document
RFC 2808 The SecurID(r) SASL Mechanism April 2000
The SECURID SASL mechanism provides a formal way to integrate the
existing SecurID authentication method into SASL-enabled protocols
including IMAP [RFC 2060], ACAP [RFC 2244], POP3 [RFC 1734] and LDAPv3
[RFC 2251].
2. Authentication Model
The SECURID SASL mechanism provides two-factor based user
authentication as defined below.
There are basically three entities in the authentication mechanism
described here: A user, possessing a SecurID token, an application
server, to which the user wants to connect, and an authentication
server, capable of authenticating the user. Even though the
application server in practice may function as a client with respect
to the authentication server, relaying authentication credentials
etc. as needed, both servers are, unless explicitly mentioned,
collectively termed "the server" here. The protocol used between the
application server and the authentication server is outside the scope
of this memo. The application client, acting on behalf of the user,
is termed "the client".
The mechanism is based on the use of a shared secret key, or "seed",
and a personal identification number (PIN), which is known both by
the user and the authentication server. The secret seed is stored on
a token that the user possesses, as well as on the authentication
server. Hence the term "two-factor authentication", a user needs not
only physical access to the token but also knowledge about the PIN in
order to perform an authentication. Given the seed, current time of
day, and the PIN, a "PASSCODE(r)" is generated by the user's token
and sent to the server.
The SECURID SASL mechanism provides one service:
- User authentication where the user provides information to the
server, so that the server can authenticate the user.
This mechanism is identified with the SASL key "SECURID".
3. Authentication Procedure
a) The client generates the credentials using local information
(seed, current time and user PIN/password).
Nystrom Informational