«

(Vin McLellan) writes:

>Bruce Barnett <spamhater103+> wrote:

>>>>This also requires the reader to be connected to the server in
>>>>order to be authenticated. If the network is down, or disconnected,
>>>>the person cannot be authenticated. So that's two potential
>>>>problems.

>Richard S. Westmoreland <> replied:

>>>Server or desktop/laptop - can be connected to either. If I have
>>>an RSA SecureID, and the server is down, I'm not getting on then
>>>either. I thought the point was authentication to the *network*?
>>>No network, then I sit and wait until it's fixed.

>Actually, at least so far as RSA's SecurID, this is no longer true.

>Working with Microsoft, RSA developed a new SecurID for Windows
>(SID4Win) infrastructure that not only simplifies the user experience

%@#$!! "simplifies the user experience"?

Sounds like it's more concerned with marketing drivel than security.

Please try not to spam newsgroups with press releases.

[snip]
--
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ / ASCII ribbon campaign | I'm a .signature virus!
X against HTML mail | Copy me into your ~/.signature
/ \ and postings | to help me spread!

In a thoughtful discussion of multi-factor authentication options,
Bruce Barnett <spamhater103+> wrote:

..> This also requires the reader to be connected to the server
..> in order to be authenticated. If the network is down, or
..> disconnected, the person cannot be authenticated.

Rick Westmoreland <>, worried about the lack
of strong authentication on the desktop or mobile laptop, and the
traditional dependence of any strong authentication mechanism on
a network connection, replied:

/> Server or desktop/laptop - can be connected to either. If I
/> have an RSA SecureID, and the server is down, I'm not getting
/> on then either. I thought the point was authentication to the
/> *network*? No network, then I sit and wait until it's fixed.

Vin McLellan (me) interjected:

>> Actually, at least so far as RSA's SecurID, this is no longer
>> true.

>> Working with Microsoft, RSA developed a new SecurID for Windows
>> (SID4Win) infrastructure that not only simplifies the user
>> experience by replacing the traditional Window's logon password
>> with a SecurID, it requires (and keeps an audit record of)
>> two-factor authentication not only at the network perimeter, as
>> is traditional, but also wherever corporate data is stored.
<snip>

Bernd Felsche <> jumped in like a
self-righteous moderator:

> %@#$!! "simplifies the user experience"?
>
> Sounds like it's more concerned with marketing drivel than
> security.

I apologize if what I wrote was not clear enough to let you
recognize that the simplification in the user experience I
describe is concrete, a matter of time and process, quantity as
well as quality. I trust that others more familiar with
multi-factor authentication on Windows, one-time password (OTP)
technologies, or the Windows security architecture understood me
better.

Typically, today, strong OTP authentication options like RSA's
two-factor SecurID are added to the Windows logon as a secondary
layer of authentication. That is, the user is first challenged for
his username and Windows password. Then, after that password is
validated by the OS, the user is challenged again for his username,
his memorized PIN, and the 60-second token-code that is displayed
on his SecurID token.

Microsoft and RSA have changed this. RSA's SecurID -- like
smartcards -- is now a native authentication option for Windows.
The user will only be challenged once, for his username and SecurID
passcode.

In the eyes of millions of current SecurID users, this will indeed
offer a welcome simplification in their logon experience.

I went on to describe RSA's new SID4Win architecture because it
directly informed the discussion Bruce and Rick were having
about strong multi-factor authentication. Their comments about the
potential of OTPs and, specifically, about RSA's SecurID -- a
widely-used commercial product they mentioned by name -- were dated
and now inaccurate.

Given the tenor of their discussion, I was certain they would
appreciate new factual information.

I offered them a quick summary of the latest enhancements
available for OTPs on Windows, since I recognized that the new
AAA options available with RSA's SID4Win were precisely on-topic
and could usefully inform this discussion.

This new technology. Only someone recently released from
an NDA by RSA is likely to be able to offer the newsgroup
accurate information about this technology and the context in
which it was developed. (And their aren't many people with those
qualifications who post to the newsgroups

So I offered relevant OT information:

1. The baseline for strong multi-factor authentication on Windows
has changed. Windows now has a native OTP option for logon.

2. Audited OTP access controls on the Windows domain controller
is now available.

3. Local OTP authentication mechanisms to restrict access to
corporate XP desktops, and/or mobile corporate laptops, are now
commercially available.

4. Strong multi-factor OTP authentication on PCs is no longer
constrained by the need for an omnipresent network connection.

This is not PR wind. These are, I believe, useful facts which
contribute meaningfully to this thread.

I do apologize for the truncated second post (I cancelled it). I
also apologize for not mentioning that I have been a consultant to
RSA for most of the past 15 years. My newsreader was going a little
crazy and trying to fire off incomplete messages on its own. Like
most old-timers on the Net, I am habitually religious about
mentioning my affiliations when I discuss any vendor's technology.
Mea culpa.

Suerte,
_Vin


Vin McLellan ** The Privacy Guild ** Chelsea, MA USA

In a thoughtful discussion of multi-factor authentication options,
Bruce Barnett <spamhater103+> wrote:

..> This also requires the reader to be connected to the server
..> in order to be authenticated. If the network is down, or
..> disconnected, the person cannot be authenticated.

Rick Westmoreland <>, worried about the lack
of strong authentication on the desktop or mobile laptop, and the
traditional dependence of any strong authentication mechanism on
a network connection, replied:

/> Server or desktop/laptop - can be connected to either. If I
/> have an RSA SecureID, and the server is down, I'm not getting
/> on then either. I thought the point was authentication to the
/> *network*? No network, then I sit and wait until it's fixed.

Vin McLellan (me) interjected:

>> Actually, at least so far as RSA's SecurID, this is no longer
>> true.

>> Working with Microsoft, RSA developed a new SecurID for Windows
>> (SID4Win) infrastructure that not only simplifies the user
>> experience by replacing the traditional Window's logon password
>> with a SecurID, it requires (and keeps an audit record of)
>> two-factor authentication not only at the network perimeter, as
>> is traditional, but also wherever corporate data is stored.
<snip>

Bernd Felsche <> jumped in like a
self-righteous moderator:

> %@#$!! "simplifies the user experience"?
>
> Sounds like it's more concerned with marketing drivel than
> security.

I apologize if what I wrote was not clear enough to let you
recognize that the simplification in the user experience I
describe is concrete, a matter of time and process, quantity as
well as quality. I trust that others more familiar with
multi-factor authentication on Windows, one-time password (OTP)
technologies, or the Windows security architecture understood me
better.

Typically, today, strong OTP authentication options like RSA's
two-factor SecurID are added to the Windows logon as a secondary
layer of authentication. That is, the user is first challenged for
his username and Windows password. Then, after that password is
validated by the OS, the user is challenged again for his username,
his memorized PIN, and the 60-second token-code that is displayed
on his SecurID token.

Microsoft and RSA have changed this. RSA's SecurID -- like
smartcards -- is now a native authentication option for Windows.
The user will only be challenged once, for his username and SecurID
passcode.

In the eyes of millions of current SecurID users, this will indeed
offer a welcome simplification in their logon experience.

I went on to describe RSA's new SID4Win architecture because it
directly informed the discussion Bruce and Rick were having
about strong multi-factor authentication. Their comments about the
potential of OTPs and, specifically, about RSA's SecurID -- a
widely-used commercial product they mentioned by name -- were dated
and now inaccurate.

Given the tenor of their discussion, I was certain they would
appreciate new factual information.

I offered them a quick summary of the latest enhancements
available for OTPs on Windows, since I recognized that the new
AAA options available with RSA's SID4Win were precisely on-topic
and could usefully inform this discussion.

This new technology. Only someone recently released from
an NDA by RSA is likely to be able to offer the newsgroup
accurate information about this technology and the context in
which it was developed. (And their aren't many people with those
qualifications who post to the newsgroups

So I offered relevant OT information:

1. The baseline for strong multi-factor authentication on Windows
has changed. Windows now has a native OTP option for logon.

2. Audited OTP access controls on the Windows domain controller
is now available.

3. Local OTP authentication mechanisms to restrict access to
corporate XP desktops, and/or mobile corporate laptops, are now
commercially available.

4. Strong multi-factor OTP authentication on PCs is no longer
constrained by the need for an omnipresent network connection.

This is not PR wind. These are, I believe, useful facts which
contribute meaningfully to this thread.

I do apologize for the truncated second post (I cancelled it). I
also apologize for not mentioning that I have been a consultant to
RSA for most of the past 15 years. My newsreader was going a little
crazy. It was (and still is) trying to fire off incomplete messages
on its own. Like most old-timers on the Net, I am habitually
religious about mentioning my relevant affiliations when I discuss
any vendor's technology. Mea culpa.

Suerte,
_Vin


Vin McLellan ** The Privacy Guild ** Chelsea, MA USA

(Vin McLellan) writes:

> Microsoft and RSA have changed this. RSA's SecurID -- like
> smartcards -- is now a native authentication option for Windows.
> The user will only be challenged once, for his username and SecurID
> passcode.

I was playing with musclecard and PAM today, and by changing one line
you can select one of the following combinations

Password + PIN are both required
If token and reader available, use PIN, else use password
Use password only
Use Token/PIN only

Another line will allow/deny root's ability to log in without a token

> In the eyes of millions of current SecurID users, this will indeed
> offer a welcome simplification in their logon experience.

Yup. Sounds good.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.