Firewall Wizards mailing list archives
Re: Username password VS hardware token plus PIN
From: Dragos Ruiu <dr () kyx net>
Date: Wed, 23 Feb 2005 19:13:25 -0800
On February 23, 2005 05:18 pm, you wrote:
Dragos Ruiu wrote:The problem with the old PDA idea is user reluctance.Then get SecurIDs or whatever for the few users who insist on 'em. But there are PDAs that are tiny, too - credit card size like the Oregon Scientific PDA293 ($9.95 at officedepot.com) or Xircom's Rex, which needs no cradle because it fits in a PCMCIA slot to sync and recharge...
Heh, being a gadgetaholic, I own a Rex... (which was not amongst my most stellar purchases btw, or long-lived in terms of use, though it was small enough in its pcmcia form factor that it rattled around in my suitcase for years before i noticed it and threw it in the dinosaur equipment pile with the newtons and many other strange oddball devices). I don't know anything about the Oregon Scientific device, but the Rex is a non starter. First killer is the frighteningly limited input system, and second is the high level of reverse engineering needed to retrofit anything onto that device as it has nothing resembling a programmatic interface or any user accessible code bits. It's only marginally more useful than a paper printout of your contacts, though the batteries don't die on paper. :-)
Basically, you're just conveying excuses. And you're making them sound better by implying that they are from some senior manager who can't carry a credit card sized device along with his golf clubs. But the truth is that he's not going to tolerate *anything* that enhances security because he's a moron.
Morons happen. They frequently happen in senior management. And yes, I've seen plenty of resistance to even credit card sized tokens as I recommend the devices. For the record, remember, I said I _liked_ external two factor authentication. I just think that rather than trying to defeat the cost issue with old PDAs, you will have more success selling it as an excuse to buy a svelte new sexy modern PDA on a company budget. Or go buy some token thingies... Cobbling together some frankenstein solution of dubious software plus cheap pdas off ebay sounds like a recipe for disaster. In the end, if even the arguably low cost of the commercial tokens is too much of a hurdle for a company's data integrity/security, then there is a security issue that will likely only be rectified at the board level. :-) cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada May 4-6 2005 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Username password VS hardware token plus PIN, (continued)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- Re: Username password VS hardware token plus PIN Dragos Ruiu (Feb 23)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 24)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 23)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 23)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 22)
- Re: Username password VS hardware token plus PIN Adam Shostack (Feb 22)
- SSL cert expiration hermit921 (Feb 23)
- Re: Username password VS hardware token plus PIN Dragos Ruiu (Feb 23)
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 23)
- Re: Username password VS hardware token plus PIN Dragos Ruiu (Feb 24)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 24)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 24)
- Re: Username password VS hardware token plus PIN John Hall (Feb 24)
- Re: Username password VS hardware token plus PIN David Lang (Feb 24)
- Re: Username password VS hardware token plus PIN Kevin (Feb 22)
- Re: Username password VS hardware token plus PIN Andras Kis-Szabo (Feb 23)
- Re: Username password VS hardware token plus PIN Kevin Sheldrake (Feb 23)
- Re: Username password VS hardware token plus PIN Paul D. Robertson (Feb 24)