Re: username password vs token pin

[pooh () stonegizmo com (Mark Boltz)]

Mike

There are several advantages to token/PIN vs. username/password. In u/p you
have the problem of people writing passwords down because they cannot remember
them. As often as the password changes, so does their PostIt wear out, but
they'll still do it. Of course, if users are educated how to make a good
password (notice the difference between "how to make" vs. "what is a" good
password), the problem would be lessened. I try to teach people to use various
mnemonic forms, such as taking a favorite phrase from a book or movie and using
the first and/or last characters complete with punctuation and upper/lower case.

Anyway, although I'm not terribly familiar with USB tokens, I can say from
long experience with RSA's ACE/Server that it has definite advantages. First,
the PIN actually can be changed. RSA Secured certified VPN clients should
support NEW PINCODE, which allows a user to authenticate off your assigned PIN
to create a PIN of their own for their token.

Then once you have a PIN assigned to the token, it's the 6 digit token code
that makes the password. Because this is unique to the token, and is changed
every minute or so, replay attacks become very unlikely. And to get *that*
code you need the PIN. So it's a combination of something you know with
something you have. Whereas u/p is just something you know.

Since the PIN itself is just a 4 digit code, and if you allow the user
to set it to something of their own devising (yet cautioning them that it
cannot be 1234 or 4321, etc.) you have something they won't need to write
down. But because you have to possess the physical token AND know the PIN and
the user's ID, it works pretty well.

And it just needs to work well enough to outrun the other guy, not the bear.

Mark Boltz
Sr. Security Consultant
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards