Re: Token based OTP: SafeWord or SecurID?

["H. Morrow Long" <morrow.long () yale edu>]

There is a PIN PAD version of the SecureID in which you type the
PIN into a keypad on the SecureID card or fob.  The PIN is
combined with the time dependent code number (which normally
shows up in the LCD in the standard version) and the newly
factored number is displayed in the LCD.  You then type in and
send this new number to the remote prompt.  Therefore the PIN
is not sent across a communications channel in the clear.

- H. Morrow Long

Rick Smith wrote:
> > --On Monday, September 18, 2000 11:30 AM -0500 kadokev () msg net wrote:
> >
> > > I just recently noticed that unlike SecurID, SafeWord has no provision to
> > > use a PIN in combination with their key fob 'Safeword Silver 2000' token,
> > > so they are out of the running.
>
> I've been told that the SecurID PIN is essentially a reusable password,
> consisting of digits, that's used in conjunction with the key fob. To log
> in, you enter both the number on the fob and the reusable password.
>
> The advantage is that attackers must work harder -- they must first
> intercept a successful login to retrieve the reusable part and then steal
> the fob to get the one time part. Furthermore, it involves less hardware
> since the fob doesn't need a keypad.
>
> On the other hand, it makes the PIN weaker since it can be sniffed. Does
> anyone think this matters?
>
> Disclaimer: I work for Secure Computing, which builds SafeWord. I want to
> be sure I understand the relevant difference between the two.
>
> Rick.
> smith () securecomputing com         roseville, minnesota
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature