The SECURID mechanism uses authentication and authorization identity together with a passcode from a hardware token to authenticate users.
In the client, this mechanism is always enabled, and it requires the
GSASL_PASSCODE properties. If set,
GSASL_AUTHZID will also be used. If the server requests it,
GSASL_PIN property is also required, and its callback may
GSASL_SUGGESTED_PIN property to discover a
server-provided PIN to use.
In the server, this mechanism will invoke the
GSASL_VALIDATE_SECURID callback. The callback may inspect the
properties. The callback can return
GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE to ask for
another additional passcode from the client. The callback can return
GSASL_SECURID_SERVER_NEED_NEW_PIN to ask for a new PIN code
from the client, in which case it may also set the
GSASL_SUGGESTED_PIN property to indicate a recommended new PIN.
If the callbacks is invoked again, after having returned
GSASL_SECURID_SERVER_NEED_NEW_PIN, it may also inspect the
GSASL_PIN property, in addition to the other properties, to
find out the client selected PIN code.
The SCRAM-SHA-1 mechanism is specified in RFC 2808.