Back in 2000 or so, it seemed a status symbol of how many RSA tokens you had on your keychain. The more you had, the more important systems you had access too.
Don't forget that PayPal's original idea was a Palm Pilot app that replaced all those pesky hardware tokens.
Ha, cool. How many tokens did you ever see at once? :D
Presumably PayPal were intending to do an app + hardware module - or was this essentially "LeT's MaNaGe RSA KeYs UsInG NoN MeMoRy PrOtEcTeD CoMmOdItY HaRdWaRe RuNnInG a NoN SaNdBoXeD KeRnEl"?
Yeah physical tokens from RSA (I think) We even rigged up CVSD so you couldn’t push code without the rsa token for each push. (Not actually sure anymore that CVS commit to remote was called push).
I had a family member working for an AOL call center around that time, the physical token they had was from RSA. At least at the time, it was required for nearly anything, including logging into the customer desktop application.
All I remember is having to look at each file and figuring out if the diff between 1.13.0.4 and 1.13.0.5 should be applied to 1.16 and then for the next file it was 1.15.1.2 and 1.15.1.4 and so on for each file. That was after AOL had slowed down to the point where you didn’t just release each change but batched they up into releases called QARs (QA Requests where you documented all the changes and stuff to test etc.). So earlier, merging from released point fixes back to the latest version wasn’t common and cvs wasn’t good at it. Later it was more common and what now is a two minute git pull —rebase was a half day.
Also by then, the super genius software folks started getting replaced by MBAs who would rather developers be idle than work on stuff that wasn’t prioritized.
Two factor auth (password + RSA token) was used for vpn/ssh from home and to access high security stuff (which I never got access to) at Yahoo when I joined in 2004. If AOL was having trouble with security, requiring it for admin tools would have been reasonable and feasible in 2005.
The tokens are not intended to be servicable. Even if you replaced the battery, you couldn't set the time, so I don't think you could sync your token and your verifier.
And I don't know if these things had protections against being opened anyway.
Earlier than that (at least as far back as 2003, my memory is hazy but it might have been 2001) I was using RSA based tokens for TFA to access on-prem systems at a couple of our clients for product support purposes. At least one of those was significantly smaller than AOL would have been in 2005. So the tech was readily available and had been for some time, AOL had the resources to scale it out to their key infrastructure, and after a significant hack I can believe that even in those relatively naive days there would have been plenty enough management impetus to Make It Happen.
my bank used 2FA (auth codes or so called "transaction codes" send in physical mail to approve transactions) in the late 90s early 2000s. so 2fa isn't some new invention, funny how it took basically 2.5 decades until it become quite mainstream... now that i think of it, it's actually quite concerning that 2fa didn't have widespread adoption earlier - as soon as smart phones became common.
they had 2fa before most orgs and even launched a beta for the public called "AOL PASSCODE". aim had 2fa i remember host guide something with the password "pepper" had it in 2002.
was common in some parts of finance also, as i recall this pre-2008. folks had pager-looking things that flashed OTPs. i think bloomberg terminals were partially responsible for driving the use of 2fa.
I do remember that. Little key fobs with one time codes. But that's still 3 years later. But apparently according to some of these comments large tech places were using 2FA in 2000 and as early as '98 or '99 which still surprises me, not really having seen it become ubiquitous until recently, and really only around things for banking and purchasing.
