Firewall Wizards mailing list archives
Re: Username password VS hardware token plus PIN
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 22 Feb 2005 11:33:54 -0600
On Tue, 2005-02-22 at 11:50 -0500, Marcus J. Ranum wrote:
I suppose the closest that'd come would be a social engineering attack along the lines of: "Dear bozo () yourdomain com - We need to change the batteries in your authentication token, as part of annual maintenance. Please mail it in the included business reply envelope within the next 30 days if you wish to have continued access.
Your con-man forgot to ask the user to also include his PIN number. Most tokens lock out on 3-5 wrong PIN entries. So just stealing the token (the thing you have) is not enough. They also need to get the PIN (the thing you know) to use the token. That's why I was never happy with SecureID tokens since the PIN is transmitted during logon and thus subject to interception by an attacker. I preferred tokens that require the PIN to unlock the token, but never transmit the PIN. The token alone should never be enough to let you log in. A physical device has the valuable property that it can be stolen easier than secured electronic data. ;) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Username password VS hardware token plus PIN MHawkins (Feb 22)
- Message not available
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- Re: Username password VS hardware token plus PIN Dragos Ruiu (Feb 23)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 24)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 23)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 23)
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 22)
- Message not available