1

I'm using a Junos Pulse Secure Access Service (Juniper Networks), which requires to enter a RSA PIN in addition to the password. I don't know if this is always the case or if it's a custom configuration. After entering both I get an email with a generated tokencode, which I have to enter.

The PIN isn't generated, it stays the same until I change it manually. There are no restrictions on when I have to change the PIN (besides on first login), therefore it's just something I have to remember like the password.

I don't think it makes the system more secure, so what is the RSA PIN used for? Could this be a misconfiguration which could lead to a security risk?

Christian Strempfer
  • 465
  • 1
  • 3
  • 15
  • This is more of a poor-man's two-form-factor authentication. It would be up to the network admin to regularly update the PINs. It is more secure but not as secure as something like requiring RSA SecureID key that is automatically changing every so often, similar to what Google offers for their Gmail accounts. This service is just included with your Juniper as a "bonus". – Jack Bahou Feb 25 '16 at 12:36

3 Answers3

1

There are several configuration for generating the PIN. If the admin has configured it to OnDemand Authentication only via user PIN so you are getting the the token code via email/sms. But it can be configured for various other options.

You can make a suggestion to the Authentication Manager to change the PIN change policy for forcing the user to change the PIN after a fixed duration or include the both security question/password along with the PIN+Token code.

The consideration taken is the for the lapse of security, no one will have access to both PIN and the token code delivery method with them at the same time. Which restrict the login attempt to just 3 for either wrong PIN or the token code.

Shaswat
  • 59
  • 3
0

It is a standard implementation. It does add an extra layer of security in the event of your primary password being compromised and the SecurID being removed from your possession (i.e stolen, or lost then found by a malicious third party), without the pin the token and/or account will be locked out after a few authentication attempts.

I do agree however that the risk of this is very low, which is a good a thing.

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
0

The technique is called two-factor authentication, referring to the three fundamental factors of authentication: Something you have, something you know and something you are. While each of these can be compromised individually, the methods are different.

For example, if someone were able to find/guess you password (written down, leaked from another site, sniffed over the network), they'd still need access to the physical token in order to gain access. Similarly, the token is no good without your password, so a casual thief would also need to acquire your password.

The nature of the pins changing over time (usually something like a 10-15 second window) also improves their resistance to brute force attacks and replay attacks, as the same code doesn't work very many times.

Jozef Woods
  • 1,247
  • 8
  • 7