Firewall Wizards mailing list archives
Re: Username password VS hardware token plus PIN
From: Andras Kis-Szabo <kisza () securityaudit hu>
Date: Wed, 23 Feb 2005 12:49:55 +0100
Hi,
If you use PIN-pad and the agent is in Communication server mode your PIN code never used in simple for on the network. You have to add your PIN to the tokencode in a special way. The PIN-pad makes it for you. You have to enter the PIN and push the button ...That's why I was never happy with SecureID tokens since the PIN is transmitted during logon and thus subject to interception by an attacker. I preferred tokens that require the PIN to unlock the token, but never transmit the PIN.
In this case the PIN must be a numerical value. :(There are also SecurID tokens for mobile phones (in SMS, in native or in J2ME). The SMS is unsecure, you might be able to steal the seeds from the native, ...
Kevin:the 'new pin mode' could be a risk, but there are several other ways to change your pin. You should try the web-portal (with the NEXUS style). There are a nice knowledge-based authentication method.
Regards, kisza -- Andras Kis-Szabo Security Development, Design and Audit -------------------------/ Zorp, NetFilter and IPv6 kisza () SecurityAudit hu /-------------------------------------------> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Username password VS hardware token plus PIN, (continued)
- Re: Username password VS hardware token plus PIN Adam Shostack (Feb 22)
- SSL cert expiration hermit921 (Feb 23)
- Re: Username password VS hardware token plus PIN Dragos Ruiu (Feb 23)
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 23)
- Re: Username password VS hardware token plus PIN Dragos Ruiu (Feb 24)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 24)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 24)
- Re: Username password VS hardware token plus PIN John Hall (Feb 24)
- Re: Username password VS hardware token plus PIN David Lang (Feb 24)
- Re: Username password VS hardware token plus PIN Kevin (Feb 22)
- Re: Username password VS hardware token plus PIN Andras Kis-Szabo (Feb 23)
- Re: Username password VS hardware token plus PIN Kevin Sheldrake (Feb 23)
- Re: Username password VS hardware token plus PIN Paul D. Robertson (Feb 24)
- AES SecurID Re: Username password VS hardware token plus PIN ArkanoiD (Feb 22)
- Re: Username password VS hardware token plus PIN Patrick M. Hausen (Feb 22)