|
Firewall Wizards
mailing list archives
Re: Username password VS hardware token plus PIN
From: Andras Kis-Szabo <kisza () securityaudit hu>
Date: Wed, 23 Feb 2005 12:49:55 +0100
Hi,
That's why I was never happy with SecureID tokens since the PIN is
transmitted during logon and thus subject to interception by an
attacker. I preferred tokens that require the PIN to unlock the token,
but never transmit the PIN.
If you use PIN-pad and the agent is in Communication server mode your
PIN code never used in simple for on the network.
You have to add your PIN to the tokencode in a special way. The PIN-pad
makes it for you. You have to enter the PIN and push the button ...
In this case the PIN must be a numerical value. :(
There are also SecurID tokens for mobile phones (in SMS, in native or in
J2ME). The SMS is unsecure, you might be able to steal the seeds from
the native, ...
Kevin:
the 'new pin mode' could be a risk, but there are several other ways to
change your pin. You should try the web-portal (with the NEXUS style).
There are a nice knowledge-based authentication method.
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
kisza () SecurityAudit hu /------------------------------------------->
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- Re: Username password VS hardware token plus PIN, (continued)
RE: Username password VS hardware token plus PIN Ben Nagy (Feb 22)
RE: Username password VS hardware token plus PIN Mark Gumennik (Feb 22)
|
Intro
