Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Username password VS hardware token plus PIN

From: Frank Knobbe <frank () knobbe us>
Date: Tue, 22 Feb 2005 11:39:25 -0600
On Tue, 2005-02-22 at 10:08 -0500, MHawkins () TULLIB COM wrote:

What solutions are out there that do not use a PIN but use some
username/password combination along with the hardware/software token?


Why would you need that?

In both cases you need a user name to identify the user.

In case of password-only, you just the password, something you know.

In case of token, you use the token (something you have), and the PIN
(something you know). The PIN is in a sense acting as the password.

Why would you need two passwords?


Another advantage that tokens have (but also other OTP schemes like OTP
calculators) is that the password/token-response is only valid once. If
someone intercepts the given token code during authentication, he should
not be able to use the same information again. Just like a
one-time-password created by an OTP calculator. 

The valid-only-once advantage is something a static username/password
can not provide.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: