40 million RSA token replacements will, literally, cost the earth

News that RSA, the security division of EMC, has announced plans to replace all 40 million of the SecurID tokens issued to its clients – following the recent cyberattack against Lockheed Martin – has been called a disaster in financial and ecological terms.

The deployment costs for RSA’s clients will cost around four billion pounds, whilst the environmental cost will work at around 4.3 million tonnes of CO2. Observations suggest that the on-costs of deploying a single SecurID token is around £100.00 per token – this includes the direct and indirect costs for the organisation concerned.

And then there is the environmental costs, which our Web site calculates at 4.3 million tonnes of Co2 – the equivalent of flying around the world 500,000 times in terms of the effect on the environment. To put that in perspective, this is equivalent of chopping down 240 million trees.

Given the financial and ecological implications of the RSA SecurID rollout – which are quite breathtaking – you actually have to question as whether the SecurID deployment is really necessary.

If it is necessary, then I recommend that businesses should start seriously thinking about switching to a tokenless authentication system – especially given the rising number of corporate hacks in recent months, which indicates that enhanced security should now be a watchword.

Research at the Infosecurity Europe show in April of this year revealed that 38 per cent of RSA token users were looking for a replacement. If anything, this SecurID reissue saga will reinforce the view amongst Infosecurity Europe attendees that more than a third of users are desperate for change.

Against the backdrop of this survey, I wonder how many users of two-factor authentication will now be questioning the wisdom of using a hardware-based token system, when the benefits of using a software token – which include significantly lower on-costs and faster deployments – are now becoming apparent.

And this is before we even begin to calculate the costs – as mandated under the EU’s WEEE directive – of securely disposing the old tokens, which have a number of less-than-eco-friendly components built into them.

Andrew Kemshall is co-founder of SecurEnvoy. Before setting up SecurEnvoy, which specialises in tokenless two-factor authentication, Andrew worked for RSA as one of their original technical experts in Europe, clocking up over 15 years experience in user authentication. His particular specialty is two-factor authentication in the fields of architecture, design and development of next generation authentication software.