Firewall Wizards mailing list archives
FW: Username password VS hardware token plus PIN
From: "Paul Melson" <psmelson () comcast net>
Date: Tue, 22 Feb 2005 13:46:18 -0500
The PIN is essentially the user's password. It is the "something you know" part of the two-factor authentication axiom. (If just login name would suffice, then SANS would have to reprint all of that training material with, "Something you have, and something EVERYBODY knows." And that just won't happen.) The point of PIN+TOKENCODE is that it easily drops into a password field as a single string, like, "We've secretly replaced Don's old RADIUS server with ACE Server. Let's see if he notices!" But in that same vein, many of these products will let you require a PIN that meets with normal password complexity requirements and expiration. They just keep on calling it a PIN because, well, the acronym for Personal Identification String might offend someone. That would mean that your users could be forced to type !@myl33+Pazzw0rD093469 into a password field instead of their usual 1234093469, but they'll quickly get over it. I question the value of additional passwords to this equation even if they are challenged against separate directories. The purpose of tokens is to reduce the risk of unauthorized use of an authorized account. Insofar as the token makes it difficult for an account to be used simultaneously by two different people, with or without the knowledge of the authorized party, it is an effective technology. PaulM -----Original Message----- Subject: RE: [fw-wiz] Username password VS hardware token plus PIN Good point. And also, a lot of users would a) not notice that the key had been stolen at all. ii) would ask the IT department for a new one explaining that they "lost" their old one without admitting that it was stolen. But you didn't answer my bigger question. What products are out there that require both the hardware, the pin AND username/password? This seems to me the best way because you need four pieces of info. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Username password VS hardware token plus PIN, (continued)
- RE: Username password VS hardware token plus PIN Mark Gumennik (Feb 22)
- AES SecurID Re: Username password VS hardware token plus PIN ArkanoiD (Feb 22)
- Re: Username password VS hardware token plus PIN Paul D. Robertson (Feb 22)
- Re: Username password VS hardware token plus PIN Patrick M. Hausen (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
- Re: Username password VS hardware token plus PIN Kevin (Feb 22)
- Re: Username password VS hardware token plus PIN David Lang (Feb 24)
- Re: Username password VS hardware token plus PIN Kevin (Feb 22)
- RE: Username password VS hardware token plus PIN Crissup, John (MBNP is) (Feb 22)
- FW: Username password VS hardware token plus PIN Paul Melson (Feb 22)
- RE: Username password VS hardware token plus PIN Behm, Jeffrey L. (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
- Re: Username password VS hardware token plus PIN Kevin (Feb 23)
- Message not available
- RE: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 23)
- RE: Username password VS hardware token plus PIN Mark Gumennik (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 24)