On Jan 11, 2013, at 2:02 PM, Tom Limoncelli <[email protected]> wrote:
> I haven't used those two specific products but I'm in favor of > whatever system requires people to NOT carry yet another device. That > is, the VIP solution with the phone app. I work with Bryan (hello!) and can add a bit of detail. We have some services that use RSA tokens, but other parts of the company are moving to the soft tokens. The RSA infra (run by another department, thankfully) will be around for a few more years, but is definitely going to be retired. We are planning some work around the RSA protected services, so while the hood is open, dropping the soft tokens in will be relatively easy. Our users are anxious to ditch the RSA tokens, obviously, but we want to make sure we do the right thing at the right time. Users can have multiple soft tokens (phone, laptop, etc), but to create one, you need to have one. (You get a one-time code for creating your first token.) A key logger/screen grabber attack may look like this: * Bad Guy installs agent on your laptop through malicious link to coupon for cheese * BG gets your password when you log into your laptop * BG watches your screen for your soft token to show up on screen (or launches the soft token app for you). * BG uses your token to either Be Evil now, or registers a new token so they can Be Evil later. Not too far fetched, aside from timing the whole thing. Is it too large of a risk? Not so sure. I'm not in favor of us running yet another 2F service just for us, and I don't suspect management would be, either. One more thing to manage that out of scope of our core function, and it would complicate interactions with other divisions that occasionally access our services. _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
