WebApp Sec mailing list archives
Token authentication with web applications
From: Ivan Krstic <krstic () fas harvard edu>
Date: Thu, 01 Jul 2004 23:48:22 +0100
All,I'm looking for people's experiences with cheap, uncomplicated token devices or other physical means of authentication that play nicely with more traditional authentication methods in web applications.
The cheapest solutions that came to mind are printing credit-card sized s/key cards, or burning mini-CDs with a key and an auth agent for users. Obviously, both methods are flawed (s/key cards can be copied down if left exposed, and that's assuming they're not taped to the monitor, while a stolen CD can be copied and replaced without evidence of tampering[1]), but would still raise the security bar at essentially no cost. More extensive authentication solutions are usually rather expensive.
Thoughts? Cheers, Ivan.[1] The s/key printed cards at least address this insofar as the user, presuming he can be bothered with remembering which of the 100 s/keys he used last, can notice that an intruder gained access to the system.
Current thread:
- Token authentication with web applications Ivan Krstic (Jul 01)
- <Possible follow-ups>
- RE: Token authentication with web applications Michael Silk (Jul 02)
- RE: Token authentication with web applications sfdl01 (Jul 02)
- RE: Token authentication with web applications Graham Howe (Jul 02)
- Re: Token authentication with web applications Ivan Krstic (Jul 02)
- RE: Token authentication with web applications sfdl01 (Jul 02)
- RE: Token authentication with web applications Levenglick, Jeff (Jul 02)
- RE: Token authentication with web applications Scovetta, Michael V (Jul 04)
- RE: Token authentication with web applications stevenr (Jul 05)