PaulDotCom mailing list archives
Re: Soft Tokens??
From: Todd Haverkos <infosec () haverkos com>
Date: Wed, 21 Nov 2012 13:16:10 -0600
Conrad Constantine <conrad () 1211 net> writes:
Not saying the app is as secure as the hardware token just a different way to implement it.yeah, but security is all about the implementation, and a hardware implementation has a completely different attack surface from a purely software one. (look at the attack against RSA Soft-Tokens earlier this year, or the smartcard-hijack trojan that Alienvault Labs (plug plug!) dissected back in January... For instance, the RSA hard tokens have a bunch of anti-tamper mechanisms in them that aren't possible with a soft token. (Travis Goodspeed's awesome work in bypassing that aside for the moment)
But it's all somewhat moot, really. Because, soft or hard token, the token code is going into a web form field somewhere, where on a compromised host, it's vulnerable to intercept. This isn't news to anyone I imagine, but it's worth keeping in mind that this is the most likely attack path against token or software based 2FA. One of my clients uses a mix of hard and soft tokens. The soft tokens didn't have to be replaced (at great administrative overhead and pain) when RSA had their... incident... last year. The hard tokens did. Could that time/effort have been better used securing other aspects of the enterprise? Surely. For that year at least, the security ROI surely landed in favor of soft tokens for RSA customers. Assuming something like that doesn't happen again, yes, dedicated hardware makes it harder to compromise the token code, but that's rarely the lowest hanging fruit in the process. Software, hardware, they're both significantly better than passwords. Hardware does make your token code harder to get at and predict, but it comes at administrative cost to physically get them in people's hands, get people to remember them, get them to not whine about having to carry them, and then not to lose them, etc. Best Regards, -- Todd Haverkos Chicago, IL http://haverkos.com/ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Soft Tokens?? Julian Makas (Nov 09)
- <Possible follow-ups>
- Re: Soft Tokens?? Herndon Elliott (Nov 10)
- Re: Soft Tokens?? Robin Wood (Nov 10)
- Re: Soft Tokens?? Tony Turner (Nov 10)
- Re: Soft Tokens?? Jack Daniel (Nov 10)
- Re: Soft Tokens?? Conrad Constantine (Nov 10)
- Re: Soft Tokens?? Todd Haverkos (Nov 21)
- Re: Soft Tokens?? Archanet.co.uk (Nov 10)
- Re: Soft Tokens?? Robin Wood (Nov 10)