Educause Security Discussion mailing list archives
Re: Laptop Encryption
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 17 Feb 2009 23:16:18 -0500
On Tue, 17 Feb 2009 19:06:05 CST, Timothy Payne said:
Can anyone share with the list their experiences with enterprise level encryption products? I'm most interested in products that use some sort of 2-factor authentication...ie, a USB key required to boot and a password, or password/checksum combo. How do you deal with the inevitable user who loses their token or forgets their password?
Also consider the case of a stolen laptop - what are the chances the USB key is in the laptop bag? At that point, it's not 2-factor any more. And then you need to ask yourself - 'What threat model does that second factor actually protect me against?'. Remember that *most* 2-factor auth is intended to protect you against "keystroke logger sniffs password, attacker comes in over Internet from 9 time zones away" (because then they have "something they know", but can't supply "something they have" or "something they are" *because* they're 9 time zones away...).
Attachment:
_bin
Description:
Current thread:
- Laptop Encryption Timothy Payne (Feb 17)
- <Possible follow-ups>
- Re: Laptop Encryption Gary Dobbins (Feb 17)
- Re: Laptop Encryption Valdis Kletnieks (Feb 17)
- Re: Laptop Encryption Wes Young (Feb 18)
- Re: Laptop Encryption James Farr '05' (Feb 18)
- Re: Laptop Encryption Gary Flynn (Feb 18)
- Re: Laptop Encryption Zach Jansen (Feb 18)
- Re: Laptop Encryption Gregg, Christopher S. (Feb 18)
- Re: Laptop Encryption Warner, David F (Feb 18)
- Re: Laptop Encryption Basgen, Brian (Feb 18)