Good summary by Lynn Wheeler about the "something you have" and "something you know".
The SecurID cards I was exposed to presented a six-digit number that changed every minute or so (30 seconds?). The changing nature of this number validated that it was "something you have" and not merely something static that you copied from the legit guy. When connecting to the network, you entered this number along with username and password. The cards must be VERY TIGHTLY synchronized with the clock(s) of the secured system(s). I don't trust biometrics: they're static, but can change as you age (or even with surgery), and can be faked or [grimace] stolen. My recollection of using SecurID was that I hated it. On the one hand, I was always worried about keying in a number that had just changed or was about to change, not to mention the possibility of the card clock having drifted. But more, the act of reading yet-another-thing and keying it in was flat out annoying. BUT ... this is not to say that it was/is a bad product. I think it's obvious that security is stronger with something like this, and maybe your security guys believe you need it. In any case ... TRAINING! Don't forfeit the training. If you get SecurID, get thorough training. If you get something else, make sure everyone gets training. If you roll some home-grown scheme, be sure all users have proper training. Probably the single worst weakness in any security system is the PEOPLE involved, the very ones who the system is supposed to serve. -- R;
