John Stoffel <[email protected]> writes: >>>>>> "Tracy" == Tracy Reed <[email protected]> writes: > >Tracy> On Fri, Jan 11, 2013 at 08:41:35AM PST, Bryan Ramirez spake thusly: >>> at work we're having a discussion about 2 factor authentication. We're >>> comparing the traditional RSA token with Symantec's VIP Access solution. > >Tracy> Be sure to consider Google Authenticator. It is free, a well-studied >open >Tracy> standard (always a good thing in crypto) and hasn't been hacked in the >past >Tracy> (unlike certain other solutions). > >We use both the traditional RSA tokens, plus some of us have their >soft-tokens on our BlackBerry phones, which is convenient. And I >*still* need to enter a pin into the device to get back a number to >punch in to access my VPN. So it's still two factor.
Some of us got rid of most of the RSA hard tokens after the RSA hack, we considered those seeds compromised. Not the same case with the Blackberry RSA app. Further, since it's on a phone, the phone has a screen timeout, and it can be remote wiped and RSA credentials revoked when the phone is lost/stolen. One measure you should take *regardless* of implementation: Send an email to the user upon every successful remote login telling them a remote login just occurred with their credentials. That's a fast/cheap/easy way to get notified if someone's credentials are being used by an unauthorized party.. _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
