Re: Hardware tokens for remote access authentication

["Marcus J. Ranum" <mjr () ranum com>]

Bill Kyle wrote:
> I am looking for security staff real world experience with a deployment of 
> ideally of several hundred users. I would like to know things to help me 
> determine the total cost of ownership, e.g., token failure rate, user failure 
> rate :) (needing pin reset), server issues, etc.

I ran a bunch of Digital Pathways SNKs back in the day, and SecurIDs,
too. Hopefully SecurID's management software has improved since 1994 -
it must have because they're still in business. The old SNKs are gone,
now, into the mists of time - I used my own server-side code (part of the
firewall toolkit) so I can't comment on the management software.

Management was consistently about 5 minutes to activate a device and 10
to beat "train" the user how to log in with it. I suspect that most systems
will hang around there. The failure rate was about 10%/year (rough guess)
between accidental toilet immersion, folding, and battery death. I liked the
SNK because the battery was replaceable whereas the SecurID unit needed
to be thrown away every year or so (50%/year replacement). Re-keying was
periodically necessary but generally not a big deal. Another factor very
few people take into account is the "return rate" - how many people actually
give their token back when they leave their job or graduate or whatever.
I've found the return rate is about 50%.

Given the cost per unit and the management headache, I'd like to encourage
you to explore a different route I've recommended to a number of people. So
far nobody has done it - I'm not sure WHY because it seems to me to be a
very decent concept. ;)   Go to bizrate and find someone who is selling the
old Palm Pilot organizers CHEAP. Buy cases of them for $50 apiece. Write
a version of the SNK code (take it from fwtk!) or S/key or SDI's algorithm.
If you think for about 1 minute you can figure out how to make your own time-based
token; SDI's patents are on the skew adjustment (and aren't rocket science either)
instead of saving the skew like they do, you can just search around the time
because processors have gotten really fast. ;)   While you're at it, have your
little app provide encrypted storage for user passwords, etc. ;)  AND your users
get free scheduling and you're all using a standard scheduling system. Nifty!
Oddly, my guess is people are much less likely to loe a nice useful PDA
than a silly dongle that only does security. Expect a near zero return rate.
My guess is that you can own your own token architecture AND have
PDAs with PGP, etc, for about $60/user, with better software and support
and a higher cool factor than with the commercial products. Extra credit if
you use SMS phones. ;)

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards