Re: [fw-wiz] Username password VS hardware token plus PIN

• Previous message: Adam Shostack: "Re: [fw-wiz] Username password VS hardware token plus PIN"
• In reply to: Frank Knobbe: "Re: [fw-wiz] Username password VS hardware token plus PIN"
• Next in thread: Andras Kis-Szabo: "Re: [fw-wiz] Username password VS hardware token plus PIN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Tue, 22 Feb 2005 17:01:55 -0600

On Tue, 22 Feb 2005 11:33:54 -0600, Frank Knobbe <frank@knobbe.us> wrote:
> That's why I was never happy with SecureID tokens since the PIN is
> transmitted during logon and thus subject to interception by an
> attacker. I preferred tokens that require the PIN to unlock the token,
> but never transmit the PIN.

RSA doesn't promote it, but their SD520 "PINPAD" product does not
require the PIN to be transmitted during login, instead follows the
"require the PIN to unlock" model. If you enter an incorrect PIN, the
passcode displayed looks fine, but will not be accepted by the server.
This is the physical equivalent of the software token running on
Blackberry, PalmOS, Windows, etc, with the advantage of being a
sealed unit. Other token vendors have similar offerings.

> The token alone should never be enough to let you log in. A physical
> device has the valuable property that it can be stolen easier than
> secured electronic data. ;)

A physical device requires live physical access to be stolen, and as
Marcus said, it can only exist in one place at any one moment in time --
if you steal my hardware token, I'll eventually notice that I no longer
possess it, not true for a password or certificate or other "secured"
electronic data.

Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Adam Shostack: "Re: [fw-wiz] Username password VS hardware token plus PIN"
• In reply to: Frank Knobbe: "Re: [fw-wiz] Username password VS hardware token plus PIN"
• Next in thread: Andras Kis-Szabo: "Re: [fw-wiz] Username password VS hardware token plus PIN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] Username password VS hardware token plus PIN ... I preferred tokens that require the PIN to unlock the token, ... > but never transmit the PIN. ... has" in order to log in, I disagree that an attacker would ... (Firewall-Wizards) RE: [fw-wiz] Username password VS hardware token plus PIN ... The RSA key you use, can you force regular PIN changes al la password policy ... > most USB tokens is almost guaranteed to be written down by dumb users ... (Firewall-Wizards) Re: [fw-wiz] Username password VS hardware token plus PIN ... >That's why I was never happy with SecureID tokens since the PIN is ... I preferred tokens that require the PIN to unlock the token, ... >but never transmit the PIN. ... (Firewall-Wizards) RE: [fw-wiz] Username password VS hardware token plus PIN ... Granted, at that point, you have my PIN, but you still don't have my token. ... > confident that XX days later, the password will be different to what ... > burned into most USB tokens is almost guaranteed to be written down by ... If you are not the intended recipient please notify the sender ... (Firewall-Wizards) Re: RSA SecureID on Solaris ... And on your ACE server, a computer hooked up to a network. ... Also consider the "soft tokens." ... RSA doesn't release ... > securid + pin just to make it more secure. ... (Focus-SUN)