bear bear at sonic.net
Fri Oct 18 14:47:32 EDT 2002

On Thu, 17 Oct 2002, Marc Branchaud wrote:

>Any thoughts on this device?  At first glance, it doesn't seem
>particularly impressive...
>Lovely idea of two-factor authentication:
>   The user then enters their user name (something they know) and the
>   8-digit Quizid passcode (something they have) into the login screen
>   of their application.

Actually, it looks like a fairly good idea.  The idea of a
standalone token (ie, not requiring any electronic interface
to the machine) eliminates some hardware barriers that would
otherwise hinder the device's acceptance, and it really *is*
a lot more secure than password authentication.

It could be made better -- you could have the server take the
user's password and issue a challenge for that user's device,
which the user would then punch into the device, and enter the
device's response back to the server.  In fact that may be how
this thing works - I couldn't tell for sure through all their
marketroid-speak whether there is a unique challenge from the
server or whether the user enters the same use-code into the
device every time.

But, even though that would be more secure, it could also end
up in a slightly less desirable position on the security-
versus-annoyance curve. I think the major target here is
consumer-grade security - while it would be nice if these
devices were secure enough to control access to fort knox,
they can't afford to annoy users enough (or require them to
think enough) to get that level of security.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list