RE: [fw-wiz] Username password VS hardware token plus PIN

From: Mark Gumennik (mgumennik_at_mitre.org)
Date: 02/22/05

Next message: Paul D. Robertson: "Re: [fw-wiz] i-cap proposals"

Previous message: Jay: "[fw-wiz] PAT on Cisco PIX 515"
In reply to: MHawkins_at_TULLIB.COM: "[fw-wiz] Username password VS hardware token plus PIN"
Next in thread: ArkanoiD: "AES SecurID Re: [fw-wiz] Username password VS hardware token plus PIN"
Reply: ArkanoiD: "AES SecurID Re: [fw-wiz] Username password VS hardware token plus PIN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <MHawkins@TULLIB.COM>, <firewall-wizards@honor.icsalabs.com>
Date: Tue, 22 Feb 2005 12:15:40 -0500

Mike,
I think the best you can get is SecureID/ACE (used to be AXENT, now RSA?)
(Also quite expensive :-)

http://www.securehq.com/vendors.wml&vendorid=31&adv=GG

It's a classic combination of "what you have" and "what you know". As far as
I remember it was hacked only once 6-7 years ago; not by breaking the ID but
putting a server into a "wait" mode

Mark

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of
MHawkins@TULLIB.COM
Sent: Tuesday, February 22, 2005 10:09 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Username password VS hardware token plus PIN

Hi people,

Here's something I've been wondering for some time now.

What is the value of hardware token with burned in PIN as compared to
username password (when the password policy is forced strong)?

We enforce strong password policy in our organization. So when a user logs
into the VPN, I am reasonably confident of the validity of the
authentication mechanism. The only problem is if a user writes down their
password and keeps it with the laptop or PC. Even then, I am confident that
XX days later, the password will be different to what they wrote down (ok
they will just write the new one down).

I fail to see the benefit of using hardware tokens that rely on a one time
set PIN number (which seems to be all of them). The one time PIN burned into
most USB tokens is almost guaranteed to be written down by dumb users
(unfortunately of which there are many) and so the end result is that the
USB token, the PIN and the laptop are all in a nice handy easy to steal
location.

I have searched long and hard for a token that can use a username password
combination along with the PIN but to no avail.

Why are so many organizations intent on using hardware/software tokens? What
am I missing here?

What solutions are out there that do not use a PIN but use some
username/password combination along with the hardware/software token?

Mike Hawkins

----------------------------------------------------------------------------
----------------------------------------------------------------------------
-------------------------
The information contained in this email is confidential and may also contain
privileged information. Sender does not waive confidentiality or legal
privilege. If you are not the intended recipient please notify the sender
immediately; you should not retain this message or disclose its content to
anyone.
Internet communications are not secure or error free and the sender does not
accept any liability for the content of the email. Although emails are
routinely screened for viruses, the sender does not accept responsibility
for any damage caused. Replies to this email may be monitored.
For more information about the Collins Stewart Tullett group of companies
please visit the following web site: www.cstplc.com
----------------------------------------------------------------------------
----------------------------------------------------------------------------
--------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Paul D. Robertson: "Re: [fw-wiz] i-cap proposals"

Previous message: Jay: "[fw-wiz] PAT on Cisco PIX 515"
In reply to: MHawkins_at_TULLIB.COM: "[fw-wiz] Username password VS hardware token plus PIN"
Next in thread: ArkanoiD: "AES SecurID Re: [fw-wiz] Username password VS hardware token plus PIN"
Reply: ArkanoiD: "AES SecurID Re: [fw-wiz] Username password VS hardware token plus PIN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[fw-wiz] Username password VS hardware token plus PIN
... What is the value of hardware token with burned in PIN as compared to ... I fail to see the benefit of using hardware tokens that rely on a one time ... I have searched long and hard for a token that can use a username password ... If you are not the intended recipient please notify the sender ...
(Firewall-Wizards)
RE: [fw-wiz] Username password VS hardware token plus PIN
... Granted, at that point, you have my PIN, but you still don't have my token. ... > confident that XX days later, the password will be different to what ... > burned into most USB tokens is almost guaranteed to be written down by ... If you are not the intended recipient please notify the sender ...
(Firewall-Wizards)
Re: public key authentication
... looking at passwords as a form of shared-secrets (or, if you will, ... access to and use of the corresponding private key. ... card and the "something you know" PIN. ... public key hardware tokens can also require a PIN to operate. ...
(comp.security.ssh)
RE: [Full-Disclosure] Clear text password exposure in Datakeys tokens and smartcards
... The host decides if the PIN matches. ... authentication information and pass both ... RSA also sells "software tokens" which are the same thing, ... (At least with the hardware tokens ...
(Full-Disclosure)