Educause Security Discussion mailing list archives

Re: password vs pass-phrase

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 19 Mar 2010 20:54:07 +1300

On 19/03/2010, at 1:51 PM, Eric Case wrote:


Why not some of the smart phone stuff like the VeriSign's VIP for Mobile
<http://www.verisign.com/authentication/two-factor-authentication/vip-access
-for-mobile>?  No reader to buy, no card to purchase.


Based on SMS?  SMS is a store and forward best effort technology.  We are looking at that some some folk with low 
volume occasional use requirements.  I don't know how reliable SMS is in the US but here it is variable -- 99% of the 
time it works great but the other 1% it can takes minutes to hours for messages to get delivered.   Our Radius server 
support SMS based Auth and we are looking at this as a backup for our other authentication systems.

We use RSA keys and admins doing patching regularly need to log into a whole bunch of machines at once -- the one 
minute delay between logins is really painful -- I can't imagine SMS based system being any different.  That's one of 
the attractions of YubiKey which is an OTP and not time based.  You can keep on pressing the button and getting OPTs as 
fast as you like.

Russell

Current thread:

Re: password vs pass-phrase Ken Connelly (Mar 18)
- <Possible follow-ups>
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 19)
- Re: password vs pass-phrase Eric Case (Mar 19)
- Re: password vs pass-phrase Flynn, Gerald (Mar 19)
- Re: password vs pass-phrase Allison Dolan (Mar 23)
- Re: password vs pass-phrase Russell Fulton (Mar 27)