RSA tokencode timeout
Posted on 2011-03-04
We have an RSA SecurID appliance and we utilize the tokens that display the tokencode for 60 seconds. I was shocked to recently learn that the tokencodes are actually valid for 3 minutes. I had always assumed that once the tokencode had lapsed 60 seconds, then the server would no longer recognize it either. That's incorrect. Since that's the case, I guess I don't understand why the tokens don't just present the tokencode for 3 minutes.
My question is this: Does anyone know if it's possible to configure the RSA SecurID server to only recognize the tokencodes during the 60 seconds that the codes are presented on the token?
We logged a case with RSA and the technician said it can't be adjusted. I'm not certain if that was an official statement from RSA or just the opinion from the technician of the day. I attended a security conference in which one of the speakers pointed out that in some cases the RSA timeout could be as high as 10 minutes and his recommendation was to decrease that. So now I'm not certain if the speaker didn't have his facts straight or the RSA technician didn't have his facts straight.
Anyone had any experience with this? Anyone else shocked that the tokencodes are valid long after they're no longer displayed on the token??