PaulDotCom mailing list archives

Re: Soft Tokens??

From: Jack Daniel <jackadaniel () gmail com>
Date: Sat, 10 Nov 2012 11:15:12 -0500

On Saturday, November 10, 2012, Robin Wood wrote:

On 10 November 2012 12:48, Herndon Elliott <alabamatoy () gmail com<javascript:;>>
wrote:

Subject: [Pauldotcom] Soft Tokens??
What are your thoughts on software tokens as a two factor auth

solution? Would like to hear both sides. And if your 'for' then which
solutions/products have you used. And by all means if you have pwn'd a two
factor soft token login, please share (if you can).


Isnt "two factor" and "software token" mutually exclusive?  While a
software implementation of two factor may emulate the actual hardware
(the second factor), isnt it actually, really not two factor?  Its one
factor, something you know.  The something you have is now just
another app that the user doesnt really provide?


I'd disagree with that, an RSA token is just software running on a
custom piece of hardware. What is the difference between the RSA token
and an app running on my Android phone when both are generating
authentication codes.

Not saying the app is as secure as the hardware token just a different
way to implement it.

Robin

I'm with Robin, "hardware" solutions are just custom software on custom

hardware.  The separation of devices is the advantage, as a compromised
laptop generating it's own 2fa is questionable- but some of the soft tokens
will run on phones or other devices (which are, of course, targets of
attack themselves).

If you want to play with software 2fa, you might want to check out WiKID (
wikidsystems.com), they have an Open Source version so you can play for
free.

 Jack



-- 
______________________________________
Jack Daniel, Reluctant CISSP
http://twitter.com/jack_daniel
http://www.linkedin.com/in/jackadaniel
http://blog.uncommonsensesecurity.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Soft Tokens?? Julian Makas (Nov 09)
- <Possible follow-ups>
- Re: Soft Tokens?? Herndon Elliott (Nov 10)
  - Re: Soft Tokens?? Robin Wood (Nov 10)
    - Re: Soft Tokens?? Tony Turner (Nov 10)
    - Re: Soft Tokens?? Jack Daniel (Nov 10)
    - Re: Soft Tokens?? Conrad Constantine (Nov 10)
    - Re: Soft Tokens?? Todd Haverkos (Nov 21)
    - Re: Soft Tokens?? Archanet.co.uk (Nov 10)