FW: [fw-wiz] Username password VS hardware token plus PIN

From: Paul Melson (psmelson_at_comcast.net)
Date: 02/22/05

  • Next message: Smith, Aaron: "RE: [fw-wiz] Locking down public wireless access" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Tue, 22 Feb 2005 13:46:18 -0500

    The PIN is essentially the user's password. It is the "something you know"
    part of the two-factor authentication axiom. (If just login name would
    suffice, then SANS would have to reprint all of that training material with,
    "Something you have, and something EVERYBODY knows." And that just won't
    happen.)

    The point of PIN+TOKENCODE is that it easily drops into a password field as
    a single string, like, "We've secretly replaced Don's old RADIUS server with
    ACE Server. Let's see if he notices!" But in that same vein, many of these
    products will let you require a PIN that meets with normal password
    complexity requirements and expiration. They just keep on calling it a PIN
    because, well, the acronym for Personal Identification String might offend
    someone. That would mean that your users could be forced to type
    !@myl33+Pazzw0rD093469 into a password field instead of their usual
    1234093469, but they'll quickly get over it.

    I question the value of additional passwords to this equation even if they
    are challenged against separate directories. The purpose of tokens is to
    reduce the risk of unauthorized use of an authorized account. Insofar as
    the token makes it difficult for an account to be used simultaneously by two
    different people, with or without the knowledge of the authorized party, it
    is an effective technology.

    PaulM

    -----Original Message-----
    Subject: RE: [fw-wiz] Username password VS hardware token plus PIN

    Good point.

    And also, a lot of users would a) not notice that the key had been stolen at
    all. ii) would ask the IT department for a new one explaining that they
    "lost" their old one without admitting that it was stolen.

    But you didn't answer my bigger question.

    What products are out there that require both the hardware, the pin AND
    username/password?

    This seems to me the best way because you need four pieces of info.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Smith, Aaron: "RE: [fw-wiz] Locking down public wireless access"

    Relevant Pages

    • RE: [fw-wiz] Username password VS hardware token plus PIN
      ... The RSA key you use, can you force regular PIN changes al la password policy ... > most USB tokens is almost guaranteed to be written down by dumb users ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Username password VS hardware token plus PIN
      ... Granted, at that point, you have my PIN, but you still don't have my token. ... > confident that XX days later, the password will be different to what ... > burned into most USB tokens is almost guaranteed to be written down by ... If you are not the intended recipient please notify the sender ...
      (Firewall-Wizards)
    • Re: RSA SecureID on Solaris
      ... And on your ACE server, a computer hooked up to a network. ... Also consider the "soft tokens." ... RSA doesn't release ... > securid + pin just to make it more secure. ...
      (Focus-SUN)
    • Re: [fw-wiz] Username password VS hardware token plus PIN
      ... > That's why I was never happy with SecureID tokens since the PIN is ... I preferred tokens that require the PIN to unlock the token, ... > but never transmit the PIN. ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Username password VS hardware token plus PIN
      ... > I think the best you can get is SecureID/ACE (used to be AXENT, now RSA?) ... SecurID is unrelated to AXENT's product, ... I converted from the old X9.9/Axent challenge-response tokens after the ... a password-expiration-style PIN change. ...
      (Firewall-Wizards)