Adam Fields fields at surgam.net
Fri Oct 18 15:35:23 EDT 2002

On Fri, Oct 18, 2002 at 11:47:32AM -0700, bear wrote:
> Actually, it looks like a fairly good idea.  The idea of a
> standalone token (ie, not requiring any electronic interface
> to the machine) eliminates some hardware barriers that would
> otherwise hinder the device's acceptance, and it really *is*
> a lot more secure than password authentication.
> It could be made better -- you could have the server take the
> user's password and issue a challenge for that user's device,
> which the user would then punch into the device, and enter the
> device's response back to the server.  In fact that may be how
> this thing works - I couldn't tell for sure through all their
> marketroid-speak whether there is a unique challenge from the
> server or whether the user enters the same use-code into the
> device every time.
> But, even though that would be more secure, it could also end
> up in a slightly less desirable position on the security-
> versus-annoyance curve. I think the major target here is
> consumer-grade security - while it would be nice if these
> devices were secure enough to control access to fort knox,
> they can't afford to annoy users enough (or require them to
> think enough) to get that level of security.

In 1997, I wrote a working prototype of a challenge/response
authenticator where the client is a palm pilot.


The UI is incredibly clunky (you have to enter lots of long hex
strings by hand), but it's functional.


Adam Fields, Managing Partner, fields at surgam.net
Surgam, Inc. is a technology consulting firm with strong background in
delivering scalable and robust enterprise web and IT applications.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list