SecurID and garage door openers

Greg Rose ggr at
Tue Oct 18 12:24:17 EDT 2005

At 03:25 2005-10-18 -0500, Travis H. wrote:
>Speaking of two-factor authentication, can anyone explain how servers
>validate the code from a SecurID token in the presence of clockskew?
>Does it look backwards and forwards in time a few minutes?

Yes, at registration time the server checks that the clock skew is 
reasonable (IIRC, within 100 minutes either way). From then on it 
knows and remembers the approximate clock skew.

>Similarly, how do those garage door openers with "rolling codes" work,
>given that the user may have pressed the button many times
>accidentally while out of range of the receiver?

Ahh, one of the dirty little secrets. If the base receives two 
sequential outputs from a registered token, even if they are a long 
way away from the currently expected output, it will resynchronize to 
that. The replay protection just means that the attacker needs to 
record two sequential accesses, not a single one. When all is working 
as expected, this means the attacker must target you and hang around 
for a day, or do a lunchtime attack on your zapper.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list