Educause Security Discussion mailing list archives
Re: password vs pass-phrase
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 19 Mar 2010 20:54:07 +1300
On 19/03/2010, at 1:51 PM, Eric Case wrote:
Why not some of the smart phone stuff like the VeriSign's VIP for Mobile <http://www.verisign.com/authentication/two-factor-authentication/vip-access -for-mobile>? No reader to buy, no card to purchase.
Based on SMS? SMS is a store and forward best effort technology. We are looking at that some some folk with low volume occasional use requirements. I don't know how reliable SMS is in the US but here it is variable -- 99% of the time it works great but the other 1% it can takes minutes to hours for messages to get delivered. Our Radius server support SMS based Auth and we are looking at this as a backup for our other authentication systems. We use RSA keys and admins doing patching regularly need to log into a whole bunch of machines at once -- the one minute delay between logins is really painful -- I can't imagine SMS based system being any different. That's one of the attractions of YubiKey which is an OTP and not time based. You can keep on pressing the button and getting OPTs as fast as you like. Russell
Current thread:
- Re: password vs pass-phrase Ken Connelly (Mar 18)
- <Possible follow-ups>
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 19)
- Re: password vs pass-phrase Eric Case (Mar 19)
- Re: password vs pass-phrase Flynn, Gerald (Mar 19)
- Re: password vs pass-phrase Allison Dolan (Mar 23)
- Re: password vs pass-phrase Russell Fulton (Mar 27)