Firewall Wizards mailing list archives
Re: Username password VS hardware token plus PIN
From: Kevin <kkadow () gmail com>
Date: Tue, 22 Feb 2005 17:01:55 -0600
On Tue, 22 Feb 2005 11:33:54 -0600, Frank Knobbe <frank () knobbe us> wrote:
That's why I was never happy with SecureID tokens since the PIN is transmitted during logon and thus subject to interception by an attacker. I preferred tokens that require the PIN to unlock the token, but never transmit the PIN.
RSA doesn't promote it, but their SD520 "PINPAD" product does not require the PIN to be transmitted during login, instead follows the "require the PIN to unlock" model. If you enter an incorrect PIN, the passcode displayed looks fine, but will not be accepted by the server. This is the physical equivalent of the software token running on Blackberry, PalmOS, Windows, etc, with the advantage of being a sealed unit. Other token vendors have similar offerings.
The token alone should never be enough to let you log in. A physical device has the valuable property that it can be stolen easier than secured electronic data. ;)
A physical device requires live physical access to be stolen, and as Marcus said, it can only exist in one place at any one moment in time -- if you steal my hardware token, I'll eventually notice that I no longer possess it, not true for a password or certificate or other "secured" electronic data. Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Username password VS hardware token plus PIN, (continued)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 22)
- Re: Username password VS hardware token plus PIN Adam Shostack (Feb 22)
- SSL cert expiration hermit921 (Feb 23)
- Re: Username password VS hardware token plus PIN Dragos Ruiu (Feb 23)
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 23)
- Re: Username password VS hardware token plus PIN Dragos Ruiu (Feb 24)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 24)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 24)
- Re: Username password VS hardware token plus PIN John Hall (Feb 24)
- Re: Username password VS hardware token plus PIN David Lang (Feb 24)
- Re: Username password VS hardware token plus PIN Kevin (Feb 22)
- Re: Username password VS hardware token plus PIN Andras Kis-Szabo (Feb 23)
- Re: Username password VS hardware token plus PIN Kevin Sheldrake (Feb 23)
- Re: Username password VS hardware token plus PIN Paul D. Robertson (Feb 24)
- AES SecurID Re: Username password VS hardware token plus PIN ArkanoiD (Feb 22)
- Re: Username password VS hardware token plus PIN Patrick M. Hausen (Feb 22)