Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Username password VS hardware token plus PIN

From: Andras Kis-Szabo <kisza () securityaudit hu>
Date: Wed, 23 Feb 2005 12:49:55 +0100
Hi,


That's why I was never happy with SecureID tokens since the PIN is
transmitted during logon and thus subject to interception by an
attacker. I preferred tokens that require the PIN to unlock the token,
but never transmit the PIN.
If you use PIN-pad and the agent is in Communication server mode your PIN code never used in simple for on the network. You have to add your PIN to the tokencode in a special way. The PIN-pad makes it for you. You have to enter the PIN and push the button ... 
In this case the PIN must be a numerical value. :(
There are also SecurID tokens for mobile phones (in SMS, in native or in J2ME). The SMS is unsecure, you might be able to steal the seeds from the native, ... 

Kevin:
the 'new pin mode' could be a risk, but there are several other ways to change your pin. You should try the web-portal (with the NEXUS style). There are a nice knowledge-based authentication method. 

Regards,

kisza

--
    Andras Kis-Szabo       Security Development, Design and Audit
-------------------------/        Zorp, NetFilter and IPv6
 kisza () SecurityAudit hu /------------------------------------------->

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: