Re: [fw-wiz] Username password VS hardware token plus PIN
From: Frank Knobbe (frank_at_knobbe.us)
Date: 02/22/05
- Previous message: Mark Gumennik: "RE: [fw-wiz] Locking down public wireless access"
- In reply to: Marcus J. Ranum: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Reply: Kevin: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Reply: Andras Kis-Szabo: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Reply: Kevin Sheldrake: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Marcus J. Ranum" <mjr@ranum.com> Date: Tue, 22 Feb 2005 11:33:54 -0600
On Tue, 2005-02-22 at 11:50 -0500, Marcus J. Ranum wrote:
> I suppose the closest that'd come would be a social engineering
> attack along the lines of:
> "Dear bozo@yourdomain.com -
> We need to change the batteries in your authentication token,
> as part of annual maintenance. Please mail it in the included
> business reply envelope within the next 30 days if you wish to have
> continued access.
Your con-man forgot to ask the user to also include his PIN number.
Most tokens lock out on 3-5 wrong PIN entries. So just stealing the
token (the thing you have) is not enough. They also need to get the PIN
(the thing you know) to use the token.
That's why I was never happy with SecureID tokens since the PIN is
transmitted during logon and thus subject to interception by an
attacker. I preferred tokens that require the PIN to unlock the token,
but never transmit the PIN.
The token alone should never be enough to let you log in. A physical
device has the valuable property that it can be stolen easier than
secured electronic data. ;)
Cheers,
Frank
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Mark Gumennik: "RE: [fw-wiz] Locking down public wireless access"
- In reply to: Marcus J. Ranum: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Reply: Kevin: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Reply: Andras Kis-Szabo: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Reply: Kevin Sheldrake: "Re: [fw-wiz] Username password VS hardware token plus PIN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
