The concept of RSA SecurID's system is that a user and an access authenticator (such as a financial institution controlling access to its accounts) share a seemingly randomly generated number that can be added to a password or entered as a separate field. The concept is that even if someone had access to or stolen a person's username and password, they'd still need the random number provided by RSA to access an account or access to a PC/network.
RSA has been known for delivering this random number from a synchronized token, and the number typically is set to change about every 30 seconds. Essentially the system provides two factor authentication: Something you know (the username and password) and something you have (the token).
The numbers were typically generated on a token that is quite comparable to many USB "thumb" drives, and in fact RSA had versions that had USB ports on them as well, but today the company has introduced a new form factor that would fit well into the wallets of users everywhere. The company announced worldwide availability of a card style SecurID token device about the size of a standard credit card, with a small LCD type screen to display the auto-generated number.
The card targets regulations like the U.S. government's guidance from the Federal Financial Institutions Examination Council (FFIEC) for two-factor Internet banking authentication, and there are similar initiatives under way in Singapore, Hong Kong and Malaysia for banks. Mexico, Chile and Colombia also have two-factor authentication regulations in place. Bank of America's Asia operations already have a SecurID initiative underway, as does PayPal, and some U.S. bank operations, including Commerce Bank and Zions Bank. Some financial institutions have subsidized the cost of the cards/tokens to their users in an attempt to expand the adoption of two-factor account authentication.
While increasingly popular with financial institutions for online access, the RSA SecurID solution has not been typically adopted by the physical security/access control community, which has often already been based on something you have (the standard access control card). However, the technology could fit into PIN-entry type access control systems as a way to ensure that employees can't simply give their PINs to other users for illegal access without having to also give them SecurID token or card.
