In message <9303021726 .
Leland K. Neely <lkn @
` Huh? This makes sense-----
` BUT I am confused. When Caymon showed the secure id stuff to me, they did
` enter a username or password, ONLY a secure id. (Hence my concern)
` I can take 2 of my three requirements, but not one of 3.
BUT, the SecureID thing that the person entered was the random number
generated by the SecureID card (the physical requirement of having the
card) AND the PIN number of the PERSON owning the card (this validates
that the user currently holding the card is the person that is supposed
to hold the card. This is better than just login/password because with
that there is no physical requirement.
The problem with the SecureID card is that the last four digits of the
"password" that you enter IS your PIN number! As this is in
plain-text, this is not the best solution. SecureID has fixed this
with a more expensive card (surprise, grr) which has a keypad on it.
You enter your PIN number into the card, it cons's up a totally new
number based on an internal algorithm including your PIN number and
then you enter that number to your system. This protects against a
"snoop" attack -- they can see the number that you enter but it does
NOT contain your PIN in the clear so the number is useless to them.
Does this help?
Gordon C. Galligher gorpong @
com gorpong @
"You can have war between races, war between cultures, war between planets;
but once you have war between the sexes, you eventually run out of people."
-- Kerr Avon.