I'd at least want to see what Symantec has to say about the security of their solution -- putting the 2nd auth piece on the PC that you want to auth into seems questionable at best... But maybe they disallow that, or have some other feature that allows it but protects it??
We use RSA tokens here; not too many problems with management, but the tokens are about $50 each (but their lifetime is in years.) The management UI looks to be from the '90s however... But it works. - Will -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Shrdlu Sent: Friday, January 11, 2013 12:01 PM To: [email protected] Subject: Re: [lopsa-discuss] 2 factor authentication On 1/11/2013 8:41 AM, Bryan Ramirez wrote: > at work we're having a discussion about 2 factor authentication. We're > comparing the traditional RSA token with Symantec's VIP Access solution. [snip] > My hesitation with the Symantec solution is that it's most convenient > to download the client onto the computer you'll be using to access > your environment. How much of a risk is this? Is this really two > factor authentication at this point, realistically speaking.. or is > the risk of someone screengrabbing your password too far out there? It violates the first constraint of two factor authentication, which is "a thing you have, and a thing you know" since it can easily be discovered by keystroke loggers and similar issues. Please note that I have not evaluated the Symantec product, and that my statement is merely in reaction to the idea that an application running on a PC (even though apparently meant to run on a phone or other external device) would somehow provide you with that "thing you have". Good security shouldn't have short cuts. -- Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. Brian W. Kernighan _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
