[fw-wiz] Username password VS hardware token plus PIN

MHawkins_at_TULLIB.COM
Date: 02/22/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Username password VS hardware token plus PIN"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 22 Feb 2005 10:08:42 -0500
    
    

    Hi people,

    Here's something I've been wondering for some time now.

    What is the value of hardware token with burned in PIN as compared to
    username password (when the password policy is forced strong)?

    We enforce strong password policy in our organization. So when a user logs
    into the VPN, I am reasonably confident of the validity of the
    authentication mechanism. The only problem is if a user writes down their
    password and keeps it with the laptop or PC. Even then, I am confident that
    XX days later, the password will be different to what they wrote down (ok
    they will just write the new one down).

    I fail to see the benefit of using hardware tokens that rely on a one time
    set PIN number (which seems to be all of them). The one time PIN burned into
    most USB tokens is almost guaranteed to be written down by dumb users
    (unfortunately of which there are many) and so the end result is that the
    USB token, the PIN and the laptop are all in a nice handy easy to steal
    location.

    I have searched long and hard for a token that can use a username password
    combination along with the PIN but to no avail.

    Why are so many organizations intent on using hardware/software tokens? What
    am I missing here?

    What solutions are out there that do not use a PIN but use some
    username/password combination along with the hardware/software token?

    Mike Hawkins

    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    -------------------------
    The information contained in this email is confidential and may also contain
    privileged information. Sender does not waive confidentiality or legal
    privilege. If you are not the intended recipient please notify the sender
    immediately; you should not retain this message or disclose its content to
    anyone.
    Internet communications are not secure or error free and the sender does not
    accept any liability for the content of the email. Although emails are
    routinely screened for viruses, the sender does not accept responsibility
    for any damage caused. Replies to this email may be monitored.
    For more information about the Collins Stewart Tullett group of companies
    please visit the following web site: www.cstplc.com
    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    --------------------------

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Username password VS hardware token plus PIN"