RE: Two Factor authentication and changing passwords

["Nick Owen" <nickowen () mindspring com>]

If they are using the OTP and PIN, why are they using passwords at all? Or
are they using SecurID for remote access and therefore feel they don't need
to change their LAN passwords?  If the latter, I can see why they are saying
that - passwords are a pain.  Can they segment critical sections of the lan
or applications off as remote access, requiring 2FA?

If they are using passwords with the PIN and OTP for remote access, I say
drop the passwords altogether.  They are more likely to get sniffed on
wireless connection, etc.  

HTH,

Nick
> -----Original Message-----
> From: Brian Johnson [mailto:brian.l.johnson () gmail com] 
> Sent: Wednesday, January 04, 2006 11:57 AM
> To: security-basics () securityfocus com
> Subject: Two Factor authentication and changing passwords
>
> I was wondering if anyone could point me towards some 
> recommendations for how often passwords should be changed if 
> two-factor authentication is used.
>
> I am working with a client who thinks that using SecurID 
> tokens means they should never have to change their passwords 
> but I am not comfortable with this.
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor.
Now open source: http://sourceforge.net/projects/wikid-twofactor/


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------