Re: [fw-wiz] Username password VS hardware token plus PIN

From: Andras Kis-Szabo (kisza_at_securityaudit.hu)
Date: 02/23/05

  • Next message: ArkanoiD: "Re: [fw-wiz] Username password VS hardware token plus PIN" 
    To: Frank Knobbe <frank@knobbe.us>
Date: Wed, 23 Feb 2005 12:49:55 +0100

    Hi,

    > That's why I was never happy with SecureID tokens since the PIN is
    > transmitted during logon and thus subject to interception by an
    > attacker. I preferred tokens that require the PIN to unlock the token,
    > but never transmit the PIN.
    If you use PIN-pad and the agent is in Communication server mode your
    PIN code never used in simple for on the network.
    You have to add your PIN to the tokencode in a special way. The PIN-pad
    makes it for you. You have to enter the PIN and push the button ...
    In this case the PIN must be a numerical value. :(

    There are also SecurID tokens for mobile phones (in SMS, in native or in
    J2ME). The SMS is unsecure, you might be able to steal the seeds from
    the native, ...

    Kevin:
    the 'new pin mode' could be a risk, but there are several other ways to
    change your pin. You should try the web-portal (with the NEXUS style).
    There are a nice knowledge-based authentication method.

    Regards,

    kisza 

    -- 
     Andras Kis-Szabo       Security Development, Design and Audit
-------------------------/        Zorp, NetFilter and IPv6
  kisza@SecurityAudit.hu /------------------------------------------->
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: ArkanoiD: "Re: [fw-wiz] Username password VS hardware token plus PIN"
    • Quantcast