Ken / Roger, I know it's OT, but I have a quick question for you two.
We don't have a VPN option here, but we have ~50 users using the tokens for dial-in. Occasionally, their tokens will get out of sync and of course, lock them out after three successive tries. As Ken indicated, if the user is two codes ahead or behind, it will put your token in "Next-Token" mode and is supposed to prompt you onscreen. However, our users never see the Next-Token notification on their end. Why? Is it because they are using Win9x/ME on their end or is it because of something on the server end? Server is NT 4 SP6a in an NT4 domain. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 11:54 AM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security It really is a cool system. We're currently using it for VPN access and front ending OWA, and we're playing with it and some Cisco Aironet wireless devices - requiring SecurID authentication before you get onto the wireless network. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Ken Cornetet [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 2:21 PM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > I've not examined the system for several years (I'm just a happy user > now, not and admin), but at least at one time SecurID would accept the > current code (of course),one code behind or one ahead for a total > window of 3 minutes as Roger notes. > > If the gadget's clock had drifted to more than one minute off, and you > were TWO codes ahead or behind, the system would additionally prompt > for the NEXT code displayed to make sure you were you, and it would > update the stored time offset for your gadget. Pretty slick system. > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 10:01 AM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > Actually, you've got the system down correctly. > > However, the slack time is +/- 1 minute, so you really get 3 > minutes per > code. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 19, 2003 10:29 AM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and security > > > > > > Forgive me for arguing, but I believe the time alloted for guessing > > that third factor is even less than indicated below. Of course, > > by token, I am > > referring to what RSA calls a "keyfob." Is that what you are > > referring to > > as well? > > > > Here is what I understand to be the process, from reading the > > manuals we > > have: > > 1. Upon issuance to the user, you synch the token/keyfob > > with the the RSA > > server DB. > > 2. A 6-digit code displays for 1 minute on the token. > > 3. If used for authentication within that 1 minute period, it is > > "time-stamped" as to when you entered the Passcode (PIN + > > code) and has an > > additional 1 minute latency period. Meaning that if you > > dial-up and enter > > your passcode, 30-seconds into the code, you have 1:30 to > > connect to the > > dial-up server and be authenticated. > > 4. If you enter the same code after the display has rolled > > over however, > > that code is no longer valid, as the timestamp when you > > entered it will no > > longer match with the timestamp on the server for when that > > code was valid. > > > > So the short version is that if you enter the code while it's > > displaying on the token, it's good for 1 minute with a 1 minute > > latency period. If you > > don't enter the number while it's viewable, then you've > > missed your window > > of opportunity, because it was only good for one minute. Oh > > and BTW...if > > you are trying to guess the code and miss it three times, > > regardless of > > length of time between guesses, it will lock your token until > > an admin can > > reset it. > > > > That's how I understand the process. > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 19, 2003 5:44 AM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and security > > > > > > It doesn't stop key logging per se, but it renders it ineffective. > > > > The SecurID tokens use a three factor[1] authentication system, in > > which the third piece is a 6 digit, one time use code. That code is > > good for exactly 3 > > minutes, and once used cannot be used again. > > > > Therefore, logging the authentication process is useless, as you'll > > only get 2 of the 3 factors, and for the third factor, you have a 1 > > in 1,000,000 > > chance, reset every three minutes, to guess that last part. > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > [1] They call it 2 factor, but you need a username, a PIN, and the > > securID token number to log in - that's either 3 or 11, depending on > > how much of a > > geek you are. > > > > :::: snip :::: > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
