Fri, 10 Apr 2009

RSA security website fail :(

Many companies use RSA SecureID keyfobs to ensure a one-time element to all passwords, and thus increase security. (The three tenets of good security are, something you know - like a PIN - something you have - like a one-time code generator keyfob - and something you are - like a fingerprint or biometric. Using a PIN with the RSA SecureID achieves the first two of these vectors, and specifically prevents someone gaining access if they only get a user's password.)

These keyfobs are not cheap, and so I noticed they had the great idea of printing a little message on the back:

If found refer to: www.rsasecurity.com/found

What a wonderful idea - if someone finds it, they can return it to RSA, and since each keyfob has a unique ID they can return it to the company who purchased it, using their records. The company can, in turn, look up their system to see which user was assigned that token and take appropriate action to either return the token to the owner or possibly berate him/her for losing it in the first place. Either way, it's a 'good thing'&tm;

Except for one minor flaw... the website doesn't work. Hopefully it's a temporary failure, but today if I wanted to return a keyfob to its owner I'd be met with:

Update: It's a simple redirection error, and refreshing the redirect of www.rsa.com/found will display the page correctly. Unfortunately, it appears I was completely wrong about the supposed intent of the page - it simply tells people to return found tokens to the local 'lost & found' or police station, and specifically states that RSA will not reveal who is the owner of any token found. They're quite right not to, but I was hoping RSA might offer a service that they might return tokens found, without revealing who they've returned it to to the finder. Oh well - best not lose my token then ;-)

posted at: 16:46 | path: /technical | permanent link to this entry