|
Firewall Wizards
mailing list archives
RE: Username password VS hardware token plus PIN
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 22 Feb 2005 17:59:15 +0100
If you're assuming that your users will always write down passwords then the
token is perhaps superior because the token will often be on a keyring and
not stolen at the same time as the laptop.
Mainly, though, the token protects against offline password brute-forcing -
I know you say you use strong passwords so perhaps the threat is low here.
Other organisations may not be so trusting. The attacker has ~1 minute with
a token versus PasswordLife with your system.
There are other advanatges for a very few people, like duress codes etc. Not
all that relevant.
Finally, my RSA token allows me to select my own "secret number" instead of
using the burned in PIN. That gets sent along with the token data each
login, and can be changed. YMMV, I don't sell RSA stuff. ;)
Perhaps a facile treatment, but I'm late...
Cheers,
ben
-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf
Of MHawkins () TULLIB COM
Sent: Tuesday, February 22, 2005 4:09 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Username password VS hardware token plus PIN
Hi people,
Here's something I've been wondering for some time now.
What is the value of hardware token with burned in PIN as compared to
username password (when the password policy is forced strong)?
We enforce strong password policy in our organization. So
when a user logs
into the VPN, I am reasonably confident of the validity of the
authentication mechanism. The only problem is if a user
writes down their
password and keeps it with the laptop or PC. Even then, I am
confident that
XX days later, the password will be different to what they
wrote down (ok
they will just write the new one down).
I fail to see the benefit of using hardware tokens that rely
on a one time
set PIN number (which seems to be all of them). The one time
PIN burned into
most USB tokens is almost guaranteed to be written down by dumb users
(unfortunately of which there are many) and so the end result
is that the
USB token, the PIN and the laptop are all in a nice handy
easy to steal
location.
I have searched long and hard for a token that can use a
username password
combination along with the PIN but to no avail.
Why are so many organizations intent on using
hardware/software tokens? What
am I missing here?
What solutions are out there that do not use a PIN but use some
username/password combination along with the hardware/software token?
Mike Hawkins
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- Re: Username password VS hardware token plus PIN, (continued)
RE: Username password VS hardware token plus PIN Ben Nagy (Feb 22)
RE: Username password VS hardware token plus PIN Mark Gumennik (Feb 22)
Re: Username password VS hardware token plus PIN Paul D. Robertson (Feb 22)
Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
|
Intro
