RFC 2808 (rfc2808) - Page 2 of 11


The SecurID(r) SASL Mechanism



Alternative Format: Original Text Document



RFC 2808             The SecurID(r) SASL Mechanism            April 2000


   The SECURID SASL mechanism provides a formal way to integrate the
   existing SecurID authentication method into SASL-enabled protocols
   including IMAP [RFC 2060], ACAP [RFC 2244], POP3 [RFC 1734] and LDAPv3
   [RFC 2251].

2. Authentication Model

   The SECURID SASL mechanism provides two-factor based user
   authentication as defined below.

   There are basically three entities in the authentication mechanism
   described here: A user, possessing a SecurID token, an application
   server, to which the user wants to connect, and an authentication
   server, capable of authenticating the user. Even though the
   application server in practice may function as a client with respect
   to the authentication server, relaying authentication credentials
   etc. as needed, both servers are, unless explicitly mentioned,
   collectively termed "the server" here. The protocol used between the
   application server and the authentication server is outside the scope
   of this memo. The application client, acting on behalf of the user,
   is termed "the client".

   The mechanism is based on the use of a shared secret key, or "seed",
   and a personal identification number (PIN), which is known both by
   the user and the authentication server. The secret seed is stored on
   a token that the user possesses, as well as on the authentication
   server. Hence the term "two-factor authentication", a user needs not
   only physical access to the token but also knowledge about the PIN in
   order to perform an authentication. Given the seed, current time of
   day, and the PIN, a "PASSCODE(r)" is generated by the user's token
   and sent to the server.

   The SECURID SASL mechanism provides one service:

   -    User authentication where the user provides information to the
        server, so that the server can authenticate the user.

   This mechanism is identified with the SASL key "SECURID".

3. Authentication Procedure

   a) The client generates the credentials using local information
      (seed, current time and user PIN/password).








Nystrom                      Informational