How RSA Security Token Quality Compares to Vasco
A test-by-test comparison of the RSA SecurID® SID700 token to the Vasco Digipass®Go 3 token
Durability is defined as the capability of withstanding wear and tear and theability to perform or compete over a long period. When putting a technologydevice into the hands of end users, IT departments and line-of-businessmanagers need to have confidence that the device will perform regardless ofthe rigors of the end user environment. Hardware failure decreases workerproductivity and increases help desk costs, as well as creating greater end userfrustration. Durability and reliability are non-negotiable requirements in thedeployment of any hardware device.Recently, In order to assess the durability and reliability of two leadinghardware token types, RSA Security employed an accredited, independentthird-party testing firm, National Technical Systems, to compare the RSASecurID®SID700 token to the Vasco Digipass®Go 3 token across a set of eighttests. This paper discusses the tests and their results.
I. INTRODUCTIONWhen an organization makes a decision to implement aone-time-password solution using hardware tokens, theywant to be sure the solution meets the highest standards.Above all else they want to avoid the problems associatedwith poor token quality. Tokens that fail while in the handsof end users generate needless expense, a decrease insecurity and a loss of confidence in the solution.For years RSA Security has been committed to the highestlevel of quality in their tokens. RSA Security routinelyconducts a series of quality tests on its tokens. The tests aredesigned to simulate the extreme conditions to which atoken may be subjected over its lifetime.RSA Security has been able to directly correlate that tokenspassing these tests will meet the requirements of the fieldfor five years or even longer. A detailed description of thetests can be found on the RSA Security website in the paperEnsuring Token Reliability Across the Enterprise.http://www.rsasecurity.com/products/securid/whitepapers/SIDREL_WP_0505.pdfNational Technical Systems conducted eight separatecomparison tests on the RSA SecurID token and the Go 3tokens including: temperature cycling, high humiditytolerance, vibration, shock, immersion check, run-overcheck, electrostatic discharge and tumbling. Each test wasdesigned to simulate real world conditions. This paperoutlines the results of the comparison tests.Of the eight tests conducted, RSA Security passed all eighttests while Vasco failed to meet the standard in six separateinstances.
II. TESTS AND RESULTS1. Random VibrationThe Random Vibration Test is designed to simulate thevibration a token could be subjected to while beingtransported or shipped. The test consists of placing thetokens into an electromagnet shaking device andsubjecting them to an acceleration of 15 Grms with afrequency of 10-2000 Hz with a duration of one hour pereach of three axis (X, Y & Z). Ten tokens of each brand weretested. EQUIPMENTT1000A Electromagnetic ShakerTEST STANDARDA failure rate of less than 1% deemed acceptableRESULTSRSA SecurID token: all passedVasco token: 4 Failures (40% of the units rendered inoperable)
2. Mechanical ShockThis test is designed to determine if a token could survivedrops from high places as well as unexpected jolts. Shocktesting is used to verify that the device can survive asudden impact. The test consists of placing the tokens in ashock fragility tester and placing the units under a stress of3500 Gs with a pulse time of 0.5ms on all 3 axis of the unit.Two units of each token type were used in this test.TEST STANDARDNo failures RESULTSRSA SecurID token: all passedVasco token: 1 Failure (50%—the digital display cracked)3. ImmersionThe immersion test is designed to see how a token willreact when it has been submerged in water for a period oftime. A token can be exposed to water when it isinadvertently sent through a wash cycle or when droppedinto a pool or sink. In this test tokens were placed 1 meterbelow the surface of a tank of water for two hours andchecked periodically. Two tokens of each manufacturerwere used in this test.TEST STANDARDNo failuresRESULTSRSA SecurID token: all passedVasco token: 100% Failure (Note: the Go 3 displays filledwith water and failed within 5 minutes.)
4. Run-OverTokens are often dropped and are susceptible to beingstepped on or even run over by a vehicle. The run-overcheck is designed to test ruggedness when such an incidentoccurs. In this test the RSA SecurID tokens and the DigipassGo 3 tokens were run over one time with the driver’s siderear tire of a Dodge Durango XLT. Two tokens of each typewere used in this test. TEST STANDARDNo failuresRESULTSRSA SecurID token: all passedVasco token: all failed (both Go 3 tokens had cracked LCDsand were missing display digits)5. Temperature CyclingTokens are often subjected to extreme temperaturechanges. A token could be left in an enclosed automobilein the desert heat or overnight in the middle of a coldwinter. Temperature changes in the cargo hold of anairplane during assent or descent could also test the limitsof any device. To simulate these conditions the testincluded placing tokens into a temperature chamber at -0°Cto 70°C for 25 cycles with each cycle taking 2 hours and 1.5hours for ramp time. Thirty of each type token were usedin this test.TEST STANDARDNo FailuresRESULTSRSA SecurID token: all passedVasco token: failed (1 failure – speckling of digit in the display)
6. TumblingKey fob tokens are designed to be attached to a key ringwhich is frequently carried in a pocket or purse. This testsimulates the token’s environment inside a pocket. Tokensare placed in a tumbling drum along with twenty blankkeys and five quarters, five dimes, five nickels and fivepennies and turned at 20 RPMs for 60 minutes. Two tokensof each type were subjected to this test.TEST STANDARDNo FailuresRESULTSRSA SecurID token: all passedVasco token: all passed7. High HumidityHigh humidity testing is designed to simulate use of thetoken in places where there are typically humid conditions(e.g., Florida, Hawaii, Asia Pacific). Even if the users are notbased in such a location, they often travel and the tokenmust be able to withstand such conditions. This testincludes subjecting the tokens to 95% relative humiditywith 35°C for 96 hours. Ten tokens of each type were used.TEST STANDARDNo FailuresRESULTSRSA SecurID token: all passedVasco token: all passed
8. Electrostatic DischargeIn dry climates, especially during winter months, tokens areoften subjected to electrostatic discharge. This can occurwhen exiting a car or simply by walking across a carpet andthen touching a metal surface. The test is designed tomeasure a token’s resistance to the resulting shock when“zapped” by a gun designed to deliver +/-20 kV discharges.As this is a relatively common occurrence, fifty units of eachmanufacturer’s tokens were tested.TEST STANDARDLess than 1% failureRESULTSRSA SecurID token: all passedVasco token: 14 Failed (28% – Note: 13 Vasco units displayed all zeros following the test and one would not turn on at all.)SUMMARYThe Vasco tokens failed to meet the defined standard in sixof eight (75%) of the cases while every RSA SecurID tokenpassed every test.While it is nearly impossible to predict the environmenttokens will be subjected to, it is almost certain they will beexposed to adverse conditions at some time over their lifecycle. A durable, reliable token solution from RSA Securitysaves time, aggravation and money