Comments on: Two-factor authentication using a hardware token

By: Jon

Jon — Wed, 06 Oct 2010 17:47:29 +0000

These systems are NOT totally secure, the 2FA sytem that you refer to (two factor authentication) were breached by a very simple ‘man in the middle’ attack back in 2007.

see: http://www.out-law.com/page-7967

The technical staff of banks know this, and they also know that it will cost a bomb to totally implement, and not even work, don’t forget, the thieves are ALWAYS one step ahead

By: Matt

Matt — Fri, 27 Nov 2009 13:50:24 +0000

Oh just in case anyone above thinks mobile phone SMS authentication offers and better security than the broken tokens heres the first of many articles coming to you.

http://news.cnet.com/8301-13506_3-10403425-17.html?part=rss&subj=news&tag=2547-1_3-0-20

By: Matt

Matt — Fri, 27 Nov 2009 13:38:15 +0000

I cant believe noone here mentioned that the new trojans are circumventing almost all brands of these type of tokens, hell even the phishing scams are getting past them. The phishing scammers simply added a instant messenger to their fake pages and instant msg the valid code off to the attacker then whoops you got a “session timed out, please login again” to give the scammers in the background a second code to empty your account. As for the trojans, Zeus, URLzone silon etc etc they simply hijack your browser and do the same thing, even permanently saving your now empty balance value so you dont know youve been scammed. The user has no idea what he is authenticating with the generic numbers all these things spit out. PassWindow is immune as the transaction values ie destination account, value etc can be included in the challenge itself which even the trojans cant touch, and the transparent key patterns cost nothing to implement.

By: TM

TM — Thu, 12 Nov 2009 13:42:42 +0000

Another company Arcot Systems has 2 factor with software token – more convenient.

By: Harry Barracuda

Harry Barracuda — Tue, 10 Nov 2009 10:32:26 +0000

We use the Cryptocard version and it works fine. The person that said it can be compromised if you’re using it from Windows clearly doesn’t understand the technology.

Until biometrics and RFID implants have matured, this is probably the most effective protection against illegal access.

Not cheap though!

And yes, it requires a user PIN and the code from the token to gain access; the user still then has to login to the domain. You can get SSO options but in my book that weakens security so why bother?

By: Shaun

Shaun — Wed, 04 Nov 2009 09:07:40 +0000

Verisign’s PIP service (which can also be an OpenID provider) can use the verisign tokens (I got mine through paypal) as an extra layer of authentication.

By: Jason Koller

Jason Koller — Wed, 28 Oct 2009 03:46:48 +0000

It seems to me there are two possible approaches to this using something people already carry.
A cell phone.

Option 1: Mobile Phone Synchronized Encryption App
An App could be written for various phones (iPhone, Pre, Android,
ect … ) that work on the same concept of an encryption key. The user
could generate his own custom key, and enter it into his phone via SD
card, SMS, or EMail. This key would be unique to his account allowing
only him to log in. The code would change every few minutes and use
the cell network clock as the source. This would work just like the RSA Key Fob.

Option 2: Randomly Generated Code sent via SMS
A new code could be randomly generated and
sent to the user’s phone via SMS. The code would include upper and
lower case letters, numbers, and special characters, just like any
good password should. Each code would only be valid for a few minutes
and logging on before the server had received the request for
the code would be prohibited.

of course it could be hacked,
Just like any other security method.
But it does stack the odds to be more in your favor.

By: kohr

kohr — Fri, 23 Oct 2009 23:44:20 +0000

This is news? lol.

These things like a few of you had said have been around for so many years. AOL Oppsec employees used to have them to log into their internal accounts.

When you’d log into one of the employee’s internal’s accounts you couldn’t sign on without the current key. The way around that was to use a very out of date AOL version, hehe.

By: kevino

kevino — Thu, 22 Oct 2009 20:49:17 +0000

You kids…

I used to administer a secureID server I believe I bought it in 1995. Ran on a solaris sparc 10.

I was running version 3.52 of the code, not exactly new.

They allow all sorts of devices, software and operating systems to authenticate using radius or tacacs to a centralized server, the user has a 4-8 digit pin and enters a usrename and the pin+the code on the fob.

The server keeps track of the fob, and knows what the code on it should be at any particular time. Each successful login resets the clock sync, if you don’t login for a while (or the server has a lot of clock drift) you need to get in touch with the admin to sync the pin manually. If you are a doofus and reset the system clock to 1985 to try to avoid Y2K bugs then all 5000 people on the server have to call in and resync, as my replacement discovered.

A successful login makes the user unavailable until the code changes. A code entered wice puts the token into next token mode, which can be annoying. I think you can enter your pin in reverse to get an under duress login, if someone has a gun to your head trying to get into your bank account, or sensitive system. The admin gets an email and is supposed to call the cops.

I did this twice, it always involved alcohol.

You would need to do a man in the middle attack to hijack the ssl or IPSEC connection, and then enter the code into the remote system before the user and send user a bad result somehow. This is all encrypted so, good luck super cracker.

By: Dr.Danger

Dr.Danger — Thu, 22 Oct 2009 20:34:49 +0000

RSA has already released a software app for the iPhone/Blackberry. We use the soft and hard versions at my job for VPN and OWA. You still have to use a PIN to get a correct code, which is an 8-digit code instead of the keyfob’s 6-digit code. The software always gives you a code, it just give you a bad code if you use the wrong pin, so you can’t tell until you try to use the code. If the server is on a 4-try lockout, it is pretty secure. Your ID is set through an encrypted user token that is imported into the software. The only way to hack this is if you know the PIN and acquire the token, you can get in.

By: itwork4me

itwork4me — Wed, 21 Oct 2009 21:29:11 +0000

I really appreciate aXon’s link…I have one of these. I actually have a really nice small version -for the hip Sys Admins. Just this morning I was trying to think of a way to pass the credentials from my nt terminal server session to the server session(0) where the authentication window opens. I figured I would use a javascript to authenticate the token and get the next numbers in queue on my webserver and then run the code I receive as a send key (using the next code supplied) to my server. Why? Why not figure it would be cool to add to my current virtual pc in a Win2kAS terminal services session.

By: lee

lee — Wed, 21 Oct 2009 20:31:20 +0000

you can actually use the paypal key with your openid account which is gaining some acceptance among various online account providers like aol, verisign, google, yahoo, facebook and more.
http://berbs.us/2007/08/how-to-use-your-paypal-security-key-with-openid/

By: mr_daemon

mr_daemon — Wed, 21 Oct 2009 14:13:39 +0000

@SecurID: I highly doubt that’s how it works. The ones I have used void that generated number the moment it is used to successfully login and won’t accept it again, thus someone would have to enter your SecurID number and login with it /before/ you get to do so yourself, which is probably possible but improbable.

Those have been around forever, even world of warcraft offers this.

That made me think of a similar authentication factor for ssh, called skey. It’s basically a one time password authentication scheme. When you login, instead of a password, the system offers you a challenge, which you enter in an OTP generator along with your passphrase, which in turns generates a one time password that looks a bit like this:

BEER MOAT FUEL WHALE JOHN FIVE APPLE

Once you authenticate with that password it’s null and void. And since the OTP algorithm is pretty simple (it uses SHA1 in the latest revisions) you can easily get an OTP generator for your phone (j2me, iphone, etc). This way you never enter anything sensitive into the computer you are logging into, which thwarts keyloggers. Perfect for internet cafés and untrustworthy places.

By: ax0n

ax0n — Wed, 21 Oct 2009 14:04:38 +0000

Wrong. You can’t use the same number twice in a row.

Case in point: I have to log in to a VPN, then I have to RDP to a server. The VPN connection requires a one-time pass from my SecurID fob, and maybe 10 seconds later I can get the RDP prompt, which also asks for my OTP from SecurID. I always have to wait for the number to change before it will let me in. The central authentication server won’t let you use the same number twice between changes.

By: SecurID

SecurID — Wed, 21 Oct 2009 13:53:42 +0000

Don’t forget – a year or two it was going around in the Geek News that there are sniffers sitting in the StarBucks of the world who can see the PIN and SecurID generated number that you typed and if they can then also enter the same PIN and Toekn Number before the SecurID Token Number changes – they are In!!
Just don’t hit Enter/Send until the number is just about ready to expire! (Try getting 1000+ people in your Company to do that!! ;-)