Re: Token based OTP: SafeWord or SecurID?

[Ryan Russell <ryan () securityfocus com>]

On Sun, 10 Dec 2000, Michael H. Warfield wrote:

> > I used to administer a decent sized userbase of a Safeword tokens.  If one
> > of them went nuts (about 1 in 100) we'd give them a new one.

BTW, reading my own words... I meant the token going nuts, not the user
(in case that wasn't clear :) )

>       And in the mean time, while they wait for IS, they are down.
> Typical IS mentality.

Typical security mentality.  If your token breaks, you are down until you
get a new one, too bad.  You have to be a bit of a BOFH to admin tokens
The Right Way.  If you go go around giving out keys for use in soft
tokens, which users can then give to their buddies, co-workers, etc.. or
switch to static passwords "temporarily", or whatever your workaround,
then you're just weakening your authentication infrastructure.

I would next-day cards to people who needed them, and I had supplies with
security admins to whom I'd delegated some authority in various parts of
the world, in order to not have problems with customs.  If the user
couldn't wait, then he or she could drive into the nearest field office,
which users were rarely more than an hour or two away from.

                                        Ryan


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards