RSA token-replacement strategy branded a "disaster" by rival

SecurEnvoy rubs salt in RSA's wounds by claiming replacing all 40 million would cost £4bn

An RSA rival has branded the vendor's offer to replace all 40 million of its two-factor authentication (2FA) tokens a potential financial and ecological disaster.

RSA chief executive Art Coviello has confirmed that information taken from the EMC-owned vendor in March was used in an attempted broader attack on defence contractor Lockheed Martin.

In an open letter, Coviella said he understood this may reduce some customers' risk tolerance and as a result the vendor is expanding RSA's remediation programme.

This includes an offer to replace SecurID tokens "for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks". This could potentially apply to all 40 million of its tokens.

2FA rival SecurEnvoy has estimated the cost of replacing all 40 million tokens at £4bn and the environmental costs at 4.3 million tonnes of CO2.

SecurEnvoy co-founder Andrew Kemshall said: "Our observations suggest that the on-costs of deploying a single SecurID token is around £100 per token – this includes the direct and indirect costs for the organisation concerned."

However, Coviella said customers who follow the best practices RSA published in the aftermath of the March hack can be confident in their security.

He added that the Lockheed attack had reinforced RSA's view that the motive of the March hack was to obtain information that could be used to target defence secrets and related IP, rather than financial gain, PII, or public embarrassment.