Conrad Constantine <[email protected]> writes: >> Not saying the app is as secure as the hardware token just a different >> way to implement it. > > yeah, but security is all about the implementation, and a hardware > implementation has a completely different attack surface from a purely > software one. (look at the attack against RSA Soft-Tokens earlier this > year, or the smartcard-hijack trojan that Alienvault Labs (plug plug!) > dissected back in January... > > For instance, the RSA hard tokens have a bunch of anti-tamper > mechanisms in them that aren't possible with a soft token. (Travis > Goodspeed's awesome work in bypassing that aside for the moment)
But it's all somewhat moot, really. Because, soft or hard token, the token code is going into a web form field somewhere, where on a compromised host, it's vulnerable to intercept. This isn't news to anyone I imagine, but it's worth keeping in mind that this is the most likely attack path against token or software based 2FA. One of my clients uses a mix of hard and soft tokens. The soft tokens didn't have to be replaced (at great administrative overhead and pain) when RSA had their... incident... last year. The hard tokens did. Could that time/effort have been better used securing other aspects of the enterprise? Surely. For that year at least, the security ROI surely landed in favor of soft tokens for RSA customers. Assuming something like that doesn't happen again, yes, dedicated hardware makes it harder to compromise the token code, but that's rarely the lowest hanging fruit in the process. Software, hardware, they're both significantly better than passwords. Hardware does make your token code harder to get at and predict, but it comes at administrative cost to physically get them in people's hands, get people to remember them, get them to not whine about having to carry them, and then not to lose them, etc. Best Regards, -- Todd Haverkos Chicago, IL http://haverkos.com/ _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
