> * Bad Guy installs agent on your laptop through malicious link to coupon for cheese > * BG gets your password when you log into your laptop > * BG watches your screen for your soft token to show up on screen (or launches the soft token app for you).
> * BG uses your token to either Be Evil now, or registers a new token so they can Be Evil later. Let's all back down a minute from the technical discussion ... How likely is the threat you are trying to mitigate? 2-factor authentication is great, but it has limitations, and budget constraints. Have you factored[sic] in the cost of user training, service desk visits, and possibilities of DoS against your auth infrastructure? Back to the technical side of things; if you have data that's important enough for 2-factor auth, I bet you have ID cards for physical entry into your premises. Have you considered smart cards? They are both a login token, and a physical security authentication mechanism. On Sat, Jan 12, 2013 at 6:27 PM, Edward Ned Harvey (lopser) < [email protected]> wrote: > > From: [email protected] [mailto:discuss- > > [email protected]] On Behalf Of Bryan Ramirez > > > > The symantec VIP solution allows you to download a client for your phone, > > mac, or PC that displays the one-time portion of your password. > > My hesitation with the Symantec solution is that it's most convenient to > > download the client onto the computer you'll be using to access your > > environment. > > How is it possible to run software on a system you haven't logged into yet? > Isn't that a catch-22? But I see most of this thread has been discussing > ssh. Are you trying to authenticate ssh? Or the actual laptop login? > > On my gmail account, I enabled 2-factor auth, which sends a one-use PIN > via SMS on every login attempt. I like this. So I encourage using a > smartphone based solution. > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- Joseph A Kern [email protected]
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
