Saqib Ali wrote...
Ned Fleming wrote...
Not really. The card is something a person carries around. Besides the
cards can be made to be difficult to photocopy. And if stolen, they
can be treated the same as a stolen token: invalidated and a new one
generated as easy as kiss my hand.
hmmm.
how do you know when to replace/regenerate the card, if the attacker
only duplicated the card, and returned the original to your wallet???
static human-legible information can be duplicated using vaious
fotografic techniques.
[Ned Fleming]
I like the Entrust thingamabob. Think Pareto's Law: It gives 80
percent of the functionality of a secure token for 20 percent of the
cost. (Actually, I think it gives 96 percent of the functionality of a
secure token for 20 percent of the cost -- Pareto squared.)
This maybe true, but i would still like to see some data to support this
claim.
I think that one is we are all letting the formal definition of an
two-factor authentication make us miss the main point, which is that
certainly this is a LOT more secure than just a plain password--even
if the users already uses strong passwords.
Sure this Entrust Identity Guard is nothing more than an glorified Bingo
card with coordinates printed along the Y-axis, but that doesn't mean
it can't serve a similar purpose of a "what you have" factor of
authentication.
The point is that most people KNOW how to secure physical things. They
do this all the time with their wallets, their credit cards, small
pieces of jewelery, etc. If they are taught that this Identity Guard
needs to be protected just like a credit card, most of them will
afford it SUFFICIENT (not perfect) protection. So can it be duplicated?
Yes. Does it matter? Not as much as you might think, since the risk
of duplication is relatively low.
From a risk management perspective, in reality there is little difference
between this Identity Guard vs. somone securing an SSL client-certificate
on a removable media such as a floppy or a thumb drive. The removable media
can be stolen, copied, and put back as well. So if you don't secure your
private keys with a passphrase (and by observation, most people don't),
and this happens, you're screwed. And I doubt if most people protect that
floppy as well as they protect one of the credit cards. I've seen many
cases where all people do is eject the floppy with their certificate,
but leave it in the floppy drive bay. (There are probably the same people
who don't secure it with a passphrase either.)
Rather than arguing semantics of definitions, we ought to acknowledge
that this is substantially less risk than a password alone and is likely
to be deployed at a fraction of the cost of a smart card, key fob, etc.
While it definitely isn't the most secure solution, IMO, it still is a
good idea.
Just my $.02,
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
Kevin.Wall@qwest.com Phone: 614.215.4788
"The reason you have people breaking into your software all
over the place is because your software sucks..."
-- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit
