HowStuffWorks and other sites talk about how you use it, but not how it actually works.
Introduction: A SecurID token is a gizmo about 2.5 x 1.5 inches that has a 6-digit LCD display. It’s sole job is to generate numbers. A new 6-digit number appears about once a minute. You create a unique 4-digit PIN when you register. Each time you want to access the system, you enter your PIN plus whatever 6-digit number is showing at that moment. The authentication is what they call two-factor authentication, because you have a PIN plus you have to have the device in hand.
Q: How does it know that that the 6-digit number I typed in is authentic?
Here are my guesses, which I shoot down:
A. Subset. There are a million possible numbers, but only a certain subset of them are valid. There is no way to guess the subset, but the server on the other end knows which ones are valid for my device. Doesn’t seem reasonable, since it would have to generate a large number of numbers to prevent learning the entire subset by inspection. You could capture a million numbers in less than two years (not terriby practical but certainly feasible if you’re patient). OTOH there would have to be a small fraction of those million valid to avoid someone getting lucky by just guessing a number. For example, if 500K numbers were valid, you would have a 50/50 chance of guessing one.
B. Timing. Maybe the number that the device displays is synced with the server. I am skeptical that the clock in the device would be accurate enough for that, however. The device is standalone and never connects to anything to sync the clock. Even a very good quartz watch will lose or gain time, that would throw it off by more than a minute over a month or maybe a year.
B2. Timing on a larger scale. Maybe it changes what numbers are valid on a particular hour or day, rather than targeting the exact number displayed at a specific minute.
C. Sequence. The device surely uses some unpredictable (but not random) algorithm to produce the numbers, but you only enter a single number. So the server can’t compare two sequential numbers to see if they’re the right sequence. so that’s out.
I was thinking it might be similar to the technology used for remote car door openers, which is discussed in howstuffworks in some detail. However, that requires a more complicated protocol between the sender and receiver than just sending a single code, and I think is similar to C above.
Anybody know? I would even entertain educated guesses, but it would be nice if someone really knew.