Stop us if you’ve heard this one: an emergency access feature offered by RSA for SecurID token customers isn’t completely secure. That’s the opinion of pentest outfit Netspi, whose Alexander Leary worked out how to abuse the SecurID Emergency Access Tokencodes (EAT).
The use-once codes are intended to provide a temporary access mechanism for someone whose SecurID token fails or is lost: it’s a “backup code that is randomly generated on the RSA server that works for a set period, typically a week or so”, Leary writes. The problem is this: so that sysadmins aren’t distracted by user requests for temporary IDs (“oh, you know, I left it in my other coat”), the SecurID console has a self-service option so users can get their own EATs.