Yes, it is. It uses synchronization to protect the integrity of its state.
It might be possible for a provider to override the relevant methods without synchronization, but there is a lot of code out there relying on the de facto contract of thread-safe
SecureRandom, so this would likely be reported as a bug.
If many threads are using a single
SecureRandom, there might be contention that hurts performance. On the other hand, initializing a
SecureRandom instance can be relatively slow. Whether it is best to share a global RNG, or to create a new one for each thread will depend on your application.
Update: Java 7 makes an explicit guarantee of thread-safety for
Random instances. However, it also points out that contention for a single
Random instance in a multi-threaded application may impair performance, and introduces the
ThreadLocalRandom class as a solution.