On 1/11/2013 8:41 AM, Bryan Ramirez wrote:
at work we're having a discussion about 2 factor authentication. We're comparing the traditional RSA token with Symantec's VIP Access solution.
[snip]
My hesitation with the Symantec solution is that it's most convenient to download the client onto the computer you'll be using to access your environment. How much of a risk is this? Is this really two factor authentication at this point, realistically speaking.. or is the risk of someone screengrabbing your password too far out there?
It violates the first constraint of two factor authentication, which is "a thing you have, and a thing you know" since it can easily be discovered by keystroke loggers and similar issues. Please note that I have not evaluated the Symantec product, and that my statement is merely in reaction to the idea that an application running on a PC (even though apparently meant to run on a phone or other external device) would somehow provide you with that "thing you have".
Good security shouldn't have short cuts. -- Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. Brian W. Kernighan _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
