Start with Identity
MFA

RSA SecurID

Founded 1986Bedford, MA, USAPrivate (Symphony Technology Group)Score 3.9/5Evaluated 2026-06-19Website ↗

Capability scores

Methodology →
Authentication
4.5
SSO & Federation
3.5
Authorization
3.0
Lifecycle & Provisioning
3.5
MFA & Passwordless
3.0
Governance & Audit
4.0
Developer Experience
3.0
Deployment Flexibility
4.0
Pricing Transparency
2.5
Support & Ecosystem
4.0

Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.

Overview

RSA SecurID is the original hardware-token MFA, dating to the 1980s, and the hard token with its rotating code is still an icon of two-factor authentication. RSA is now owned by Symphony Technology Group and sells SecurID as a broader access-management suite spanning hardware and software OTP, mobile push, and risk-based authentication. It remains deeply entrenched in government, defense, and banking, where long procurement cycles and on-premises requirements keep legacy deployments running.

What it is good at

Reliability, maturity, and trust in regulated environments are the strengths. The platform has decades of hardening, deep on-premises and air-gapped deployment options, strong compliance and audit posture, and integrations with the legacy enterprise applications and VPNs that newer vendors often ignore. For organizations that must run authentication inside their own data centers, it is a known, supportable quantity.

Where it falls short

The heritage is also the weakness. Time-based codes are a shared-secret scheme and are phishable; hardware tokens are costly to distribute, replace, and manage. The modern best practice is to migrate from OTP toward FIDO2/passkey authenticators. Developer experience and self-service UX trail the modern specialists, and pricing is quote-based and enterprise-weighted.

Pricing

Quote-based enterprise licensing, with hardware token costs on top of per-user subscription. Model token replacement and seat costs with the TCO calculator.

Best for, and who should look elsewhere

Choose it for federal, defense, and banking environments still standardized on hard tokens or requiring on-premises authentication. Organizations building modern, phishing-resistant access should look at Yubico hardware keys, HYPR for workforce passwordless, or Duo for managed cloud MFA. See the MFA directory and the how-to-choose guide.

Bottom line

The legacy standard for token-based MFA in regulated, on-premises environments. Plan a migration path to phishing-resistant authenticators.

By SWI Community Team · Last evaluated 2026-06-19

Independent, community-driven analysis. No vendor sponsorship. Compiled from public research and community input and verified on a best-effort basis, so details may be incomplete or out of date. Scores are opinions, not advice. Trademarks belong to their owners; mention does not imply affiliation or endorsement. See the full disclaimer, or send corrections to [email protected].