Educause Security Discussion mailing list archives

Re: Laptop Encryption

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 17 Feb 2009 23:16:18 -0500

On Tue, 17 Feb 2009 19:06:05 CST, Timothy Payne said:

Can anyone share with the list their experiences with enterprise level
encryption products?  I'm most interested in products that use some
sort of 2-factor authentication...ie, a USB key required to boot and a
password, or password/checksum combo.

How do you deal with the inevitable user who loses their token or
forgets their password?


Also consider the case of a stolen laptop - what are the chances the USB
key is in the laptop bag?  At that point, it's not 2-factor any more.

And then you need to ask yourself - 'What threat model does that second factor
actually protect me against?'.  Remember that *most* 2-factor auth is intended
to protect you against "keystroke logger sniffs password, attacker comes in
over Internet from 9 time zones away" (because then they have "something they
know", but can't supply "something they have" or "something they are" *because*
they're 9 time zones away...).

Attachment: _bin
Description:

Current thread:

Laptop Encryption Timothy Payne (Feb 17)
- <Possible follow-ups>
- Re: Laptop Encryption Gary Dobbins (Feb 17)
- Re: Laptop Encryption Valdis Kletnieks (Feb 17)
- Re: Laptop Encryption Wes Young (Feb 18)
- Re: Laptop Encryption James Farr '05' (Feb 18)
- Re: Laptop Encryption Gary Flynn (Feb 18)
- Re: Laptop Encryption Zach Jansen (Feb 18)
- Re: Laptop Encryption Gregg, Christopher S. (Feb 18)
- Re: Laptop Encryption Warner, David F (Feb 18)
- Re: Laptop Encryption Basgen, Brian (Feb 18)