two factor authentication

Jefferson Ogata Jefferson.Ogata at noaa.gov
Sun Jul 23 18:41:49 EST 2006


On 2006-07-23 07:45, Frank Cusack wrote:
> On July 23, 2006 6:50:35 AM +0000 Jefferson Ogata <Jefferson.Ogata at noaa.gov> wrote:
>> Actually, if you use smartcards, you have an unknown level of security,
>> since you're at the mercy of the smartcard vendor. I have nothing
>> against smartcards, but they're not free, and they don't necessarily
>> provide the security they claim to. For all I know, any given smartcard
>> has an RFID backdoor.
> 
> Well geez, in that case you can never be secure, ever.  Your Lenovo
> laptop could have a backdoor.

Indeed it could. But there are many CPUs I might plug my smartcard into,
but only one smartcard with my private key. What's more reliable:
attacking the CPU or attacking the smartcard?

No piece of hardware magically instills perfect security in everything
it touches. The only security we can know about with any degree of
confidence is that which comes from analyzing algorithms. Placing blind
faith in smartcards as the be-all, end-all of authentication strategies
is unwise, especially if you've convinced yourself that you don't need
any other authentication factor except those nifty smartcards you just
bought 10,000 of from a single vendor.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service



More information about the openssh-unix-dev mailing list