[4628] in WWW Security List Archive
Re: SecureID alternatives?
daemon@ATHENA.MIT.EDU (Adam Shostack)
Sun Mar 2 23:48:33 1997
From: Adam Shostack <adam@homeport.org>
In-Reply-To: <331853C6.516F@vasco.com> from "Haggard, John C." at "Mar 1, 97 10:05:26 am"
To: jch@vasco.com (Haggard, John C.)
Date: Sun, 2 Mar 1997 21:42:28 -0500 (EST)
Cc: aisecur!KClancy@bpd.treas.gov, www-security@ns2.rutgers.edu,
tel1dvw@is.ups.com
Errors-To: owner-www-security@ns2.rutgers.edu
Haggard, John C. wrote:
| > Callback is not considered anywhere as secure as a secure card. When
| > call forwarding became available, it kinda defeated the security of a
| > callback modem.
| Callback is definately an outdated security measure, however in addition
| to one time passwords such as SecurID or the AccessKey II from VASCO
| (http://www.vasco.com) I might recommend you look at caller id as an
| alternative to call back.
Using caller-id for access control means that you are trusting
the telco to provide part of your security policy. Is your telco
contracted to do this? What remidies do you have when they fail due
to a comprimised switch?
I'll add that the Cryptocard and the AssureNet (formerly
Digital Pathways) hand held tokens are well thought of. If you have
remote users with laptops, SSH (www.ssh.fi) is a nice solution.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
