Re: Token based OTP: SafeWord or SecurID?

[Stephen Legge <stephen () cryptocard com>]

> > There is a PIN PAD version of the SecureID in 
which you type the
> > PIN into a keypad on the SecureID card or fob.  
The PIN is
> > combined with the time dependent code number 
(which normally
> > shows up in the LCD in the standard version) and 
the newly
> > factored number is displayed in the LCD.  You 
then type in and
> > send this new number to the remote prompt.  
Therefore the PIN
> > is not sent across a communications channel in 
the clear.
>  
> SafeWord has similar functionality in 
their 'Platinum' token, as does
> Axent and CryptoCard. The SafeWord token is 
interesting in that it appears
> to offer the option of storing up to ten(?) distinct 
host keys, including
> one SecureNetKey/DES token . SNK is the DES 
Challenge-Response scheme used by
> Axent, and supported by Gauntlet, FWTK, and 
SafeWord auth servers.
> We've seen too many of the large-format tokens 
destroyed by user error, so
> this project is focusing on the smaller 'keyfob' 
tokens.
> It appears that CryptoCard actually supports 
entering a PIN into their keyfob
> format token, even though it only has a single 
button. The sales person I
> spoke with couldn't give a very good description as 
to how this works.

I spotted this posting and I thought I'd chime in and 
hopefully clear this up for you.
 
The Cryptocard KeyChain Token (or KeyFob token) 
does accepts pins and uses only a single button.  
They way we accomplished this was quite clever (if I 
do say so myself ;-).
 
The first pin digit gently cycles from 0 to 9 (and 
also "<" for backspace, and "E" for enter).  The user 
simply presses the button when the required first digit 
is shown.  Then the second pin digit cycles the same 
way.  The third, the fourth, and so on.
 
When the full pin has been entered, the user 
selects "E" to enter (or "<" to backspace).

Also, keep in mind that the use of the pin is optional 
and the administrator can be easily initialize a user's 
token with no pin required.
 
I hope this clears things up.  We're very proud of our 
entire line of Secure Password tokens -- and we feel 
they are a better value and more cost effective than 
the alternatives in the industry.
 
Please feel free to contact me with any questions you 
have, I'd be very interested in hearing about how you 
are planning to deploy a strong-authentication system!
 
Have a nice day,
 
Stephen Legge
Stephen () Cryptocard com
 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards