Graham Howe wrote:
> The only real solutions we can see are software based.
I disagree strongly. In my experience, software-only solutions that are
any more complicated than a password entry are either snakeoil or highly
complicated for end users, as is generally the case with OTPs (in the
case where nothing is printed). Think for a second why passwords enjoy
their wild popularity:
1. They have no learning curve
2. They require no setup on client machines (in other words, a user can
just walk up to any public terminal with a web browser and check his
mail on Hotmail)
Now, taking a software-only scheme past that usually requires the
introduction of client-side keyfiles and the like; this is a solution
which offers absolutely no extra protection in an environment whose
threat model includes attackers' physical access to workstations, and is
simply impossible to implement securely in an environment where there is
no strict one-to-one mapping between users and workstations. From a
brief glance at dualshield.com, it does not appear that the
unfortunately named flagship product addresses these issues (the
product, named DSS and marketed as the "new standard in internet
security" conflicts unpleasantly with DSS specified in FIPS-186, May
1994, an actual standard), but do correct me if I'm wrong.
Cheers,
Ivan.
Received on Jul 03 2004
Intro
