[fw-wiz] Re: username password vs token pin

From: Mark Boltz (pooh_at_stonegizmo.com)
Date: 02/22/05

  • Next message: Jay: "[fw-wiz] PAT on Cisco PIX 515" 
    To: firewall-wizards@honor.icsalabs.com
Date: Tue, 22 Feb 2005 12:12:09 -0500 (EST)

    Mike

    There are several advantages to token/PIN vs. username/password. In u/p you
    have the problem of people writing passwords down because they cannot remember
    them. As often as the password changes, so does their PostIt wear out, but
    they'll still do it. Of course, if users are educated how to make a good
    password (notice the difference between "how to make" vs. "what is a" good
    password), the problem would be lessened. I try to teach people to use various
    mnemonic forms, such as taking a favorite phrase from a book or movie and using
    the first and/or last characters complete with punctuation and upper/lower case.

    Anyway, although I'm not terribly familiar with USB tokens, I can say from
    long experience with RSA's ACE/Server that it has definite advantages. First,
    the PIN actually can be changed. RSA Secured certified VPN clients should
    support NEW PINCODE, which allows a user to authenticate off your assigned PIN
    to create a PIN of their own for their token.

    Then once you have a PIN assigned to the token, it's the 6 digit token code
    that makes the password. Because this is unique to the token, and is changed
    every minute or so, replay attacks become very unlikely. And to get *that*
    code you need the PIN. So it's a combination of something you know with
    something you have. Whereas u/p is just something you know.

    Since the PIN itself is just a 4 digit code, and if you allow the user
    to set it to something of their own devising (yet cautioning them that it
    cannot be 1234 or 4321, etc.) you have something they won't need to write
    down. But because you have to possess the physical token AND know the PIN and
    the user's ID, it works pretty well.

    And it just needs to work well enough to outrun the other guy, not the bear.

    Mark Boltz
    Sr. Security Consultant
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Jay: "[fw-wiz] PAT on Cisco PIX 515"

    Relevant Pages

    • RE: [fw-wiz] Username password VS hardware token plus PIN
      ... The RSA key you use, can you force regular PIN changes al la password policy ... > most USB tokens is almost guaranteed to be written down by dumb users ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Username password VS hardware token plus PIN
      ... Granted, at that point, you have my PIN, but you still don't have my token. ... > confident that XX days later, the password will be different to what ... > burned into most USB tokens is almost guaranteed to be written down by ... If you are not the intended recipient please notify the sender ...
      (Firewall-Wizards)
    • Re: RSA SecureID on Solaris
      ... And on your ACE server, a computer hooked up to a network. ... Also consider the "soft tokens." ... RSA doesn't release ... > securid + pin just to make it more secure. ...
      (Focus-SUN)
    • Re: [fw-wiz] Username password VS hardware token plus PIN
      ... > That's why I was never happy with SecureID tokens since the PIN is ... I preferred tokens that require the PIN to unlock the token, ... > but never transmit the PIN. ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Username password VS hardware token plus PIN
      ... > I think the best you can get is SecureID/ACE (used to be AXENT, now RSA?) ... SecurID is unrelated to AXENT's product, ... I converted from the old X9.9/Axent challenge-response tokens after the ... a password-expiration-style PIN change. ...
      (Firewall-Wizards)