[fw-wiz] Token based OTP: SafeWord or SecurID?

daN. dan@nesmail.com
Mon, 25 Sep 2000 12:21:54 -0700


>On the other hand, it makes the PIN weaker since it can be sniffed. Does 
>anyone think this matters?
>
>Rick.
>smith@securecomputing.com         roseville, minnesota

Used in conjunction with SSH or some other encrypted protocol it matters 
much, used in conjunction with telnet I would say it still matters 
somewhat..although telnet or other cleartext authentification is a bad idea 
in any event because someone who could sniff you secure ID could just as 
easily hijack your session..

The only real use of a PIN prevents someone who has stolen the card from 
gaining immediate access to the system of course this is assuming you don't 
let your users use 1234 as their secure pin :)...

Out of curiosity does anyone know if there are Smart-Card security cards 
out there the work on public Key cryptography? (Computer passes you a 
random token, card signs it and passes it back? System verifies it by 
checking against public key) obvious drawback of this type of system is of 
course you need extra hardware on your workstations...Unless of course you 
could interface it with floppy/pcmcia/Serial/Parallel/etc...


daN.