An enterprise security analyst for a publicly traded enterprise retail company was charged with replacing the company-wide deployment of RSA’s SecurID with an easier, more affordable two-factor authentication solution.
The analyst has worked in security for twenty years and he’d become frustrated by the large amount of time he and his team spent managing their clunky two-factor solution. His bosses were equally annoyed by the growing costs of their SecurID program.
“RSA SecurID was probably the biggest pain I’ve ever had,” said the analyst. “The more people you have and are hiring, the worse it is. It’s always a nightmare. Employees are always losing or accidentally washing their RSA tokens with their laundry. My team and I were spending hours just resyncing tokens. We even had to hire additional staff just to deal with the hardware tokens.”
The analyst asserts that out of 40,000 RSA SecurID hardware tokens, 3,000 of them were lost. And, regardless of the amount of internal training he and his team did, they had nearly constant calls from their users, confusing the secret codes and the security passcodes or using the token incorrectly in some other way. All in all, SecurID just wasn’t the user-friendly solution they needed as their team grew both domestically and globally.
What the company needed was a two-factor authentication solution that was just as secure as the legacy providers, but was easier for their end-users to use in addition to being easier to manage from the administration side. They needed to ditch the tokens.
With users in China and Korea, as well as in North America, the analyst's organization needed a two-factor authentication solution that was flexible and scalable for a large enterprise.
He got the green light from his supervisors to begin evaluating two-factor vendors. “I came across several solutions, none of which were doing much different from RSA, and then I found Duo,” said the analyst. “I brought it in for a pilot to test it. I have to say it was difficult to believe that it was so simple, so easy to use, and so easy to register.”
Moving from RSA to Duo
Once the pilot program proved successful, they began a trial replacement for the top users in the organization. “We left them active in RSA, issued them Duo credentials, and let them try both,” he said. “We had zero complaints across 200 users. We even called them to make sure that they were not having any issues with Duo. And that’s how it turned out. Everything just flowed with Duo.”
The next step was to transition their entire user base over to Duo. “We just told our local users to come into our office, lay down your SecurID token, we’ll turn it off once you do your first login with Duo,” he said.
Rolling out Duo within the organization
The analyst and his team communicated the transition from RSA to Duo to their internal organization and asked each person to open a help desk ticket to switch over. He said he wanted to manually get everyone set up to make sure they were added to the right groups and given the access appropriate for them. Duo offers several enrollment options for customers to choose from, but he wanted to oversee the process with each user face to face.
Once each user was set up, they sent the instructions of how to use Duo. Of 500 users, the analyst and his team encountered only five users who filed help desk tickets during the entire time the organization has been using Duo. They monitored each user to make sure they were able to get into the corporate networks without any problems.
“We had so few users that had any errors or lockouts that it was a cakewalk. It was truly one of the easiest implementations of any tools that I’ve seen,” he said.
The hidden costs of RSA
The analyst also noted the many hidden costs related to RSA SecurID tokens: “You just feel like you’re constantly being nickeled and dimed with RSA. There’s the extra cost of re-upping the tokens on a three year interval, as well as add-ons and extra features. If you need to replace any of the broken tokens, you’re talking about another added cost. The whole program gets very, very expensive. We just weren’t comfortable with that at all”
“What we’ve seen with Duo is a very easy service, a very inexpensive product, and a huge reward for us. You always hear people in the infosecurity industry talking about how easy Duo is to use - it’s actually true.”
So, what are you going to do with your RSA tokens?
“I’ll use them for skeet shooting,” said the analyst, laughing.