Re: Username password VS hardware token plus PIN

[Frank Knobbe <frank () knobbe us>]

On Tue, 2005-02-22 at 11:50 -0500, Marcus J. Ranum wrote:
> I suppose the closest that'd come would be a social engineering
> attack along the lines of:
>         "Dear bozo () yourdomain com -
>         We need to change the batteries in your authentication token,
>         as part of annual maintenance. Please mail it in the included
>         business reply envelope within the next 30 days if you wish to have
>         continued access.

Your con-man forgot to ask the user to also include his PIN number.

Most tokens lock out on 3-5 wrong PIN entries. So just stealing the
token (the thing you have) is not enough. They also need to get the PIN
(the thing you know) to use the token.

That's why I was never happy with SecureID tokens since the PIN is
transmitted during logon and thus subject to interception by an
attacker. I preferred tokens that require the PIN to unlock the token,
but never transmit the PIN.


The token alone should never be enough to let you log in. A physical
device has the valuable property that it can be stolen easier than
secured electronic data.  ;)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part