QuizID?

Adam Fields fields at surgam.net
Fri Oct 18 15:35:23 EDT 2002


On Fri, Oct 18, 2002 at 11:47:32AM -0700, bear wrote:
> Actually, it looks like a fairly good idea.  The idea of a
> standalone token (ie, not requiring any electronic interface
> to the machine) eliminates some hardware barriers that would
> otherwise hinder the device's acceptance, and it really *is*
> a lot more secure than password authentication.
> 
> It could be made better -- you could have the server take the
> user's password and issue a challenge for that user's device,
> which the user would then punch into the device, and enter the
> device's response back to the server.  In fact that may be how
> this thing works - I couldn't tell for sure through all their
> marketroid-speak whether there is a unique challenge from the
> server or whether the user enters the same use-code into the
> device every time.
> 
> But, even though that would be more secure, it could also end
> up in a slightly less desirable position on the security-
> versus-annoyance curve. I think the major target here is
> consumer-grade security - while it would be nice if these
> devices were secure enough to control access to fort knox,
> they can't afford to annoy users enough (or require them to
> think enough) to get that level of security.

In 1997, I wrote a working prototype of a challenge/response
authenticator where the client is a palm pilot.

http://www.hedge.net/fields/projects/PAD/

The UI is incredibly clunky (you have to enter lots of long hex
strings by hand), but it's functional.

--

-----
Adam Fields, Managing Partner, fields at surgam.net
Surgam, Inc. is a technology consulting firm with strong background in
delivering scalable and robust enterprise web and IT applications.
http://www.adamfields.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list