[11871] in cryptography@c2.net mail archive
Re: QuizID?
daemon@ATHENA.MIT.EDU (Adam Fields)
Fri Oct 18 15:40:56 2002
Date: Fri, 18 Oct 2002 14:35:23 -0500
From: Adam Fields <fields@surgam.net>
To: bear <bear@sonic.net>
Cc: Marc Branchaud <marcnarc@rsasecurity.com>,
cryptography@wasabisystems.com
In-Reply-To: <Pine.LNX.4.40.0210181129050.31894-100000@newbolt.sonic.net>
On Fri, Oct 18, 2002 at 11:47:32AM -0700, bear wrote:
> Actually, it looks like a fairly good idea. The idea of a
> standalone token (ie, not requiring any electronic interface
> to the machine) eliminates some hardware barriers that would
> otherwise hinder the device's acceptance, and it really *is*
> a lot more secure than password authentication.
>
> It could be made better -- you could have the server take the
> user's password and issue a challenge for that user's device,
> which the user would then punch into the device, and enter the
> device's response back to the server. In fact that may be how
> this thing works - I couldn't tell for sure through all their
> marketroid-speak whether there is a unique challenge from the
> server or whether the user enters the same use-code into the
> device every time.
>
> But, even though that would be more secure, it could also end
> up in a slightly less desirable position on the security-
> versus-annoyance curve. I think the major target here is
> consumer-grade security - while it would be nice if these
> devices were secure enough to control access to fort knox,
> they can't afford to annoy users enough (or require them to
> think enough) to get that level of security.
In 1997, I wrote a working prototype of a challenge/response
authenticator where the client is a palm pilot.
http://www.hedge.net/fields/projects/PAD/
The UI is incredibly clunky (you have to enter lots of long hex
strings by hand), but it's functional.
--
-----
Adam Fields, Managing Partner, fields@surgam.net
Surgam, Inc. is a technology consulting firm with strong background in
delivering scalable and robust enterprise web and IT applications.
http://www.adamfields.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
