Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Username password VS hardware token plus PIN

From: Kevin <kkadow () gmail com>
Date: Tue, 22 Feb 2005 17:01:55 -0600
On Tue, 22 Feb 2005 11:33:54 -0600, Frank Knobbe <frank () knobbe us> wrote:

That's why I was never happy with SecureID tokens since the PIN is
transmitted during logon and thus subject to interception by an
attacker. I preferred tokens that require the PIN to unlock the token,
but never transmit the PIN.


RSA doesn't promote it, but their SD520 "PINPAD" product does not
require the PIN to be transmitted during login, instead follows the
"require the PIN to unlock" model.  If you enter an incorrect PIN, the
passcode displayed looks fine, but will not be accepted by the server.
This is the physical equivalent of the software token running on
Blackberry, PalmOS, Windows, etc, with the advantage of being a
sealed unit.  Other token vendors have similar offerings.



The token alone should never be enough to let you log in. A physical
device has the valuable property that it can be stolen easier than
secured electronic data.  ;)


A physical device requires live physical access to be stolen, and as
Marcus said, it can only exist in one place at any one moment in time --
if you steal my hardware token, I'll eventually notice that I no longer
possess it, not true for a password or certificate or other "secured"
electronic data.

Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: