Re: Token based OTP: SafeWord or SecurID?

[Ryan Russell <ryan () securityfocus com>]

On Sat, 9 Dec 2000, Michael H. Warfield wrote:

> file" (the Network Administrator here is throughly PISSED that I, of all
> people, have the ability to use SecureID without one of his precious
> dongles and has not given me a key file, yet.)

>       BTW...  We have had abysmal luck with the SecureID keyfobs.  I've
> never even used mine and I looked at it one day and the LCD was gibberish.

I used to administer a decent sized userbase of a Safeword tokens.  If one
of them went nuts (about 1 in 100) we'd give them a new one.

> I asked said Admin if I needed to stroke the tomaguci more often to keep
> it happy.  He failed to see the humor.  That's WHY I want the key file to
> activate my SecureID calculator on my Palm Pilot.  That's also WHY he's
> so pissy about it.  He hates to feel like he had to give in because the
> damn things are unreliable.

I wouldn't allow my users to use soft tokens either.  That's because on a
general computing platform like the Palm, it's much, much easier to steal
the key without you knowing about it.  With the hardware tokens, the
attacker has to get it away from you long enough to crack the case, and
attach leads to the right pins, etc... If you left your Palm alone long
enough (and hadn't taken appropriate measures to precent this) then it
would only take me <60 seconds to "dock" it, or beam the keyfile to my
Palm.

                                        Ryan


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards