Good point.

And also, a lot of users would a) not notice that the key had been stolen at
all. ii) would ask the IT department for a new one explaining that they
"lost" their old one without admitting that it was stolen.

But you didn't answer my bigger question.

What products are out there that require both the hardware, the pin AND

This seems to me the best way because you need four pieces of info.


-----Original Message-----
From: Marcus J. Ranum []
Sent: Tuesday, February 22, 2005 11:51 AM
To: Hawkins, Michael;
Subject: Re: [fw-wiz] Username password VS hardware token plus PIN

MHawkins@TULLIB.COM wrote:
>What is the value of hardware token with burned in PIN as compared to
>username password (when the password policy is forced strong)?

A physical device has the valuable property that it cannot be
stolen twice. I can steal your password and you still have it.
If I steal your token, you know it's gone - unless I steal it using
much more complicated techniques that involve me sending an
undercover agent to your location. This is a particularly valuable
property for network devices and systems because we don't yet
know how to steal a physical device over SSH.

I suppose the closest that'd come would be a social engineering
attack along the lines of:
"Dear -
We need to change the batteries in your authentication token,
as part of annual maintenance. Please mail it in the included
business reply envelope within the next 30 days if you wish to have
continued access. Include a $20 bill for the battery replacement
and disposal of the old batteries. There will be a $100 late fee if
take longer than 30 days to return your authentication token for
Thank you,
The Security Department,"

And my guess is 10% of your average users would fall for it.


The information contained in this email is confidential and may also contain
privileged information. Sender does not waive confidentiality or legal
privilege. If you are not the intended recipient please notify the sender
immediately; you should not retain this message or disclose its content to
Internet communications are not secure or error free and the sender does not
accept any liability for the content of the email. Although emails are
routinely screened for viruses, the sender does not accept responsibility
for any damage caused. Replies to this email may be monitored.
For more information about the Collins Stewart Tullett group of companies
please visit the following web site:

firewall-wizards mailing list