Firewall Wizards mailing list archives
Re: SecureID vs Certificates
From: Peter Lukas <plukas () oss uswest net>
Date: Thu, 15 Feb 2001 08:44:35 -0600 (CST)
I'd hate to stray even further off-topic, but to your point, stolen tokens, when coupled with something like an ID badge, can provide an intruder with enough information to attempt mischeif. Especially an intruder that's been "casing the joint." In this instance, we trust the user to give notice of the stolen token immediately and this is the case, that happens not always. As for the "uniquely have" portion, I assume you mean a physical trait. Unfortunately, that physical trait ends up digitized somewhere where it can be mass-(re)produced. It's pretty difficult to cut off my finger, it's not nearly as such to capture the digital bits of my fingerprint. How about "something you have, something you know and something you can prove?" ATM cards are relatively successful since they're unlocked with a PIN. How about coupling that feature with something I can prove like a challenge/response mechanism. Without giving gratuitous recommendations of specific products on the market today, I'll say that such products exist and SecurID isn't in the bunch. Peter Lukas On Tue, 13 Feb 2001, Marcus J. Ranum wrote:
Tony Miedaner wrote:it would seem to me that certificates would be a reasonable form of two factor authenticationI'm sure lots of people would consider certificates a 2-factor authentication, but I don't. The definition of "2-factor" usually is something like this: "something you _have_ plus something you _know_" I'd like to change it to: "something you _uniquely_ _have_ plus something you _know_" As a file on a hard disk, a certificate is not guaranteed to be unique. A SecurID token is not _guaranteed_ to be unique - someone with the key could duplicate a token - but barring extraordinary measures you'll have a chance of catching them when they attempt to steal your token. I guess another way of putting it is that a desirable property of a real 2-factor system is that if the physical factor is stolen, you can _tell_. (For typical values of "stolen") mjr. --- Marcus J. Ranum, Chief Technology Officer, Network Flight Recorder, Inc. Work: http://www.nfr.net Play: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SecureID vs Certificates, (continued)
- Re: SecureID vs Certificates beldridg (Feb 16)
- Re: SecureID vs Certificates Peter Lukas (Feb 16)
- Re: SecureID vs Certificates George Capehart (Feb 15)
- Re: SecureID vs Certificates Crist Clark (Feb 15)
- Re: SecureID vs Certificates Darren Reed (Feb 13)
- Re: SecureID vs Certificates Michael H. Warfield (Feb 13)
- Re: SecureID vs Certificates Volker Tanger (Feb 13)
- RE: SecureID vs Certificates Bill Jaeger (Feb 15)
- Re: SecureID vs Certificates Volker Tanger (Feb 15)
- RE: SecureID vs Certificates Bill Jaeger (Feb 15)
- Re: SecureID vs Certificates Marcus J. Ranum (Feb 14)
- Re: SecureID vs Certificates Peter Lukas (Feb 15)
- Re: SecureID vs Certificates Jeffery . Gieser (Feb 13)
- Re: SecureID vs Certificates Gregory Hicks (Feb 13)
- RE: SecureID vs Certificates Ben Nagy (Feb 15)
- RE: SecureID vs Certificates Frank Knobbe (Feb 15)
- RE: SecureID vs Certificates Wigg, Guy G (Feb 15)
- RE: SecureID vs Certificates Nigel Willson (Feb 16)