Firewall Wizards mailing list archives

Re: SecureID vs Certificates

From: Peter Lukas <plukas () oss uswest net>
Date: Thu, 15 Feb 2001 08:44:35 -0600 (CST)

I'd hate to stray even further off-topic, but to your point, stolen
tokens, when coupled with something like an ID badge, can provide an
intruder with enough information to attempt mischeif.  Especially an
intruder that's been "casing the joint."  In this instance, we trust the
user to give notice of the stolen token immediately and this is the case,
that happens not always.

As for the "uniquely have" portion, I assume you mean a physical
trait.  Unfortunately, that physical trait ends up digitized somewhere
where it can be mass-(re)produced.  It's pretty difficult to cut off my
finger, it's not nearly as such to capture the digital bits of my
fingerprint.

How about "something you have, something you know and something you can
prove?"  ATM cards are relatively successful since they're unlocked with a
PIN.  How about coupling that feature with something I can prove like a
challenge/response mechanism.  Without giving gratuitous recommendations
of specific products on the market today, I'll say that such products
exist and SecurID isn't in the bunch.

Peter Lukas

On Tue, 13 Feb 2001, Marcus J. Ranum wrote:

Tony Miedaner wrote:

it would seem to me that certificates would be a reasonable form of two 
factor authentication


I'm sure lots of people would consider certificates a 2-factor
authentication, but I don't. The definition of "2-factor" usually
is something like this:
         "something you _have_ plus something you _know_"
I'd like to change it to:
         "something you _uniquely_ _have_ plus something you _know_"

As a file on a hard disk, a certificate is not guaranteed to be unique.
A SecurID token is not _guaranteed_ to be unique - someone with
the key could duplicate a token - but barring extraordinary measures
you'll have a chance of catching them when they attempt to steal
your token.

I guess another way of putting it is that a desirable property of a
real 2-factor system is that if the physical factor is stolen, you
can _tell_. (For typical values of "stolen")

mjr.
---
Marcus J. Ranum,  Chief Technology Officer, Network Flight Recorder, Inc.
Work:  http://www.nfr.net
Play: http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: SecureID vs Certificates, (continued)
- - - Re: SecureID vs Certificates beldridg (Feb 16)
    - Re: SecureID vs Certificates Peter Lukas (Feb 16)
    - Re: SecureID vs Certificates George Capehart (Feb 15)
    - Re: SecureID vs Certificates Crist Clark (Feb 15)
- Re: SecureID vs Certificates Darren Reed (Feb 13)
- Re: SecureID vs Certificates Michael H. Warfield (Feb 13)
- Re: SecureID vs Certificates Volker Tanger (Feb 13)
  - RE: SecureID vs Certificates Bill Jaeger (Feb 15)
    - Re: SecureID vs Certificates Volker Tanger (Feb 15)
- Re: SecureID vs Certificates Marcus J. Ranum (Feb 14)
  - Re: SecureID vs Certificates Peter Lukas (Feb 15)
- Re: SecureID vs Certificates Jeffery . Gieser (Feb 13)
- Re: SecureID vs Certificates Gregory Hicks (Feb 13)
- RE: SecureID vs Certificates Ben Nagy (Feb 15)
- RE: SecureID vs Certificates Frank Knobbe (Feb 15)
- RE: SecureID vs Certificates Wigg, Guy G (Feb 15)
- RE: SecureID vs Certificates Nigel Willson (Feb 16)