Firewall Wizards mailing list archives
Re: Hardware tokens for remote access authentication
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 08 Jul 2004 11:12:38 -0400
Bill Kyle wrote:
I am looking for security staff real world experience with a deployment of ideally of several hundred users. I would like to know things to help me determine the total cost of ownership, e.g., token failure rate, user failure rate :) (needing pin reset), server issues, etc.
I ran a bunch of Digital Pathways SNKs back in the day, and SecurIDs, too. Hopefully SecurID's management software has improved since 1994 - it must have because they're still in business. The old SNKs are gone, now, into the mists of time - I used my own server-side code (part of the firewall toolkit) so I can't comment on the management software. Management was consistently about 5 minutes to activate a device and 10 to beat "train" the user how to log in with it. I suspect that most systems will hang around there. The failure rate was about 10%/year (rough guess) between accidental toilet immersion, folding, and battery death. I liked the SNK because the battery was replaceable whereas the SecurID unit needed to be thrown away every year or so (50%/year replacement). Re-keying was periodically necessary but generally not a big deal. Another factor very few people take into account is the "return rate" - how many people actually give their token back when they leave their job or graduate or whatever. I've found the return rate is about 50%. Given the cost per unit and the management headache, I'd like to encourage you to explore a different route I've recommended to a number of people. So far nobody has done it - I'm not sure WHY because it seems to me to be a very decent concept. ;) Go to bizrate and find someone who is selling the old Palm Pilot organizers CHEAP. Buy cases of them for $50 apiece. Write a version of the SNK code (take it from fwtk!) or S/key or SDI's algorithm. If you think for about 1 minute you can figure out how to make your own time-based token; SDI's patents are on the skew adjustment (and aren't rocket science either) instead of saving the skew like they do, you can just search around the time because processors have gotten really fast. ;) While you're at it, have your little app provide encrypted storage for user passwords, etc. ;) AND your users get free scheduling and you're all using a standard scheduling system. Nifty! Oddly, my guess is people are much less likely to loe a nice useful PDA than a silly dongle that only does security. Expect a near zero return rate. My guess is that you can own your own token architecture AND have PDAs with PGP, etc, for about $60/user, with better software and support and a higher cool factor than with the commercial products. Extra credit if you use SMS phones. ;) mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Hardware tokens for remote access authentication Bill Kyle (Jul 08)
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 08)
- Message not available
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Re: Hardware tokens for remote access authentication Vin McLellan (Jul 13)
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Re: Hardware tokens for remote access authentication Vin McLellan (Jul 13)
- Re: Hardware tokens for remote access authentication ArkanoiD (Jul 15)
- Re: Hardware tokens for remote access authentication ArkanoiD (Jul 15)
- Message not available
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 08)
- <Possible follow-ups>
- RE: Hardware tokens for remote access authentication Woeltje, Don (Jul 10)
- Message not available
- RE: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Message not available