Re: SecureID vs Certificates

["Volker Tanger" <volker.tanger () detewe de>]

Tony Miedaner schrieb:

> Kind of a high level questions on trade offs between SecureID or
> Certificates.  It would seem pretty obvious that SecureID is a better
> system BUT for many situations it would seem to me that certificates
> would be a reasonable form of two factor authentication.  Can anyone
> provide a good reason why not to use certificates over SecureID? Is it
> even reasonable to classify certificates as two factor?It is
> understood that if someone can take control your computer they may be
> able to use the cert.

SecurID is not _as_ secure as people commonly believe:
    http://www.atstake.com/research/reports/initial_securid_analysis.pdf

    http://www.securityfocus.com/archive/1/152525

On Certificates: you not have to store them on your local computer.
There are a lot of smart cards / safe readers (with keypad to release
the cert with a PIN) on which you can safely store your certificates.
Remove the card, and noone has access to your certificate.

Choose a card/reader system that does not COPY the certificate but that
does ENCRYPTION on the card itself. With this the certificate cannot be
copied. If you ony use the cards as simple certificate storage you have
the risk that maybe some program simply copies your certificate. With a
self-crypting certificate card/reader system you have safe two-component
solution:  the card (with certificate) you have - and the PIN you know.

This will even enhance your email scurity as the standard certificate
stores of e.g. Outlook and Netscape are not too heavily guarded...

Bye
    Volker

--

Volker Tanger  <volker.tanger () detewe de>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards