Re: Token authentication with web applications

[Ivan Krstic <krstic () fas harvard edu>]

Graham Howe wrote:
> The only real solutions we can see are software based.

I disagree strongly. In my experience, software-only solutions that are 
any more complicated than a password entry are either snakeoil or highly 
complicated for end users, as is generally the case with OTPs (in the 
case where nothing is printed). Think for a second why passwords enjoy 
their wild popularity:

1. They have no learning curve
2. They require no setup on client machines (in other words, a user can 
just walk up to any public terminal with a web browser and check his 
mail on Hotmail)

Now, taking a software-only scheme past that usually requires the 
introduction of client-side keyfiles and the like; this is a solution 
which offers absolutely no extra protection in an environment whose 
threat model includes attackers' physical access to workstations, and is 
simply impossible to implement securely in an environment where there is 
no strict one-to-one mapping between users and workstations. From a 
brief glance at dualshield.com, it does not appear that the 
unfortunately named flagship product addresses these issues (the 
product, named DSS and marketed as the "new standard in internet 
security" conflicts unpleasantly with DSS specified in FIPS-186, May 
1994, an actual standard), but do correct me if I'm wrong.

Cheers,
Ivan.