Re: Smartcard and non-password methods (was Re: Password repository)

[Stefan <netfortius () gmail com>]

[Sightly off-topic - solution specific] Some European countries have
long figured out logistics of smartcard distribution and management in
their healthcare systems - some being at the second generation,
already.

In fact this is a subject "dear" to my heart, as I've researched and
attempted a proposal for such systems for a few disparate businesses
(with possible extension into eHR), based on a model similar to the
one of SSL certificates authority (i.e third party management of
authentication, with some very neat federated solution), but nobody
seems to care....

Moral? It's been done and it works. Good luck with selling such.

Stefan

On 11/21/09, Adam Stasiniewicz <stasinia () msoe edu> wrote:
> Sadly, passwords are the least common denominator.  The biggest problems
> with 2 factor devices (smart cards, OTPs, etc) is having to buy, configure,
> and distribute them; plus get them to work with all the myriad of
> applications.
>
> Certificates that are issued to computers/web browsers suffer from a lack of
> portability (i.e. by design, the user shouldn't be able to export and share
> the certificate with anyone they want).  Plus with any solution using
> certificates (client or smart card) a substantial reconfiguration is
> required to support websites/applications being able to process certificate
> logons.
>
> IMHO, even though OTPs are the less secure of the two types of two-factor
> products, I see them growing faster than any other method.  From an end-user
> perspective, they are small/portable, don't require a reader, and don't
> require any special OS, web browser, or software.  For an infrastructure
> perspective, it is easier to convert a website to support OTPs (simply
> change the function that runs the password validation; instead of having to
> install and configure a special module/component that would handle the
> mutual auth required by certificates).  Also, many of the OTP vendors are
> working on making their products function more easily cross platform (while
> with smart cards, you are basically stuck with either the Microsoft's
> corporate/non-service provider friendly solution, or have to code your own).
>
>
> My $0.02,
> Adam Stasiniewicz
>
>
> -----Original Message-----
> From: Sean Donelan [mailto:sean () donelan com]
> Sent: Friday, November 20, 2009 5:43 PM
> To: nanog () nanog org
> Subject: Smartcard and non-password methods (was Re: Password repository)
>
>
> Are any network providers supporting smartcards or other non-password
> based authentication methods?  Passwords always end up blaming the
> user for choosing/not remembering good passwords instead of blaming the
> technology for choosing/not doing things so the user isn't forced to
> work around its flaws.
>
> I know about the DOD Common Access Card.  One-time code-generator tokens
> seem more widely used by single enterprises.  But inter-operable
> credentials still seem to be one of those great unsolved problems for
> compter security.  Are passwords still the only lowest-common-denominator?

-- 
Sent from my mobile device

***Stefan Mititelu
http://twitter.com/netfortius
http://www.linkedin.com/in/netfortius