Thomas Kern <[EMAIL PROTECTED]> writes: > Management is looking at having ALL system administrators use 2 part > authentication. One product that is prominent in their discussions > is RSA's SecurID. Their website lists components for Windows, > Solaris, AIX and Intel-based Linux. My boss is going to ask them if > they support systems on IBM zSeries platforms.
two-factor authentication is from the 3-factor authentication model http://www.garlic.com/~lynn/subpubkey.html#3factor * something you have * something you know * something you are where a hardware token is "something you have" authentication. typically in electronic authentication, a token will generate and transmit some value that is considered as only having originated from that specific token (the receiver or relying party can infer as having originated from a unique token). "something you know" authentication can be done as either a traditional shared-secret aka pin or password http://www.garlic.com/~lynn/subpubkey.html#secret in such a situation, the shared-secret is transmitted along with the token's information. it is also possible to have a secret-based "something you know" (as opposed to shared-secret) where the hardware token is certified as requiring the correct pin/password for correct operation. the receiver (or relying party) receives the hardware token validation and based on having certified the token as requiring the correct pin/password (for correct operation), can infer two-factor authentication (as opposed to actually having two independent, separate factors). in a hardware token scenarion, the use of two-factors is typically using the "something you know" authentication as a countermeasure to a lost/stolen token threat/vulnerability. similarly you can have "something you are" authentication involving some biometric value (frequently in lieu of "something you know" authentication). similarly to pin/passwords, biometrics can be implemented as either "shared-secret" (aka the biometric is stored at some central repository and matched) or as "secret" (the biometric matching is part of the certified hardware token operation). again, when biometrics is used in conjunction with a hardware token for two-factor authentication, the biometric is a countermeasure for lost/stolen token threat/vulnerability. one of the issues with biometric shared-secret implementions (as opposed to a biometric secret implementation) is security breaches associated with the repository, in the case of pin/password shared-secret repository compromise, it is possible to replace the compromised pin/passwords. the issue with compromise of biometric shared-secrets is being able to issue replacements. disclosier .... we have a bunch of patents (granted and pending) on various aspects of authentication operations (and there is a product that incorporates some of the features): http://www.garlic.com/~lynn/index.html#aads -- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
