On 01/11/13 14:44, David Lang wrote:
One problem I have with every commercial soft token that I have every seen is that an attacker that gets their hands on the system running the soft token can brute force the PIN
RSA soft token generates the code using the serial number/PIN/time as input. Always gives you a code.
You have to actually attempt to login to whatever service, to see if it is correct.
Symantec VIP does not have any PIN. It is just a time based rotating code. (serial number/time as input, 30 second rotation) The "something you know" part is handled by the service that the user is logging into, as a separate step.
-- Mr. Flibble King of the Potato People _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
