>> Whilst one-time keycards are nice, ones such as S/Key are also "dangerous".
>
>> If you're attending a conference (and have a name tag), or travelling,
>> you're going to take your s/key list or other with you...whilst the
>> security seems well and good, it does, however, reduce the skill required
>> to get `in' to somene who is good at picking pockets...and what do you do
>> if you `lose' your `card' ? Can you call back to work, 24 hours a day and
>> report it missing ?
>
>you could keep your s/key list encrypted on a laptop.
>
>josh
>
Isn't the design intention of S/key that one generates one-time
passwords (using memorized secret key) on-the-fly? I thought
that carrying around lists of pre-generated passwords was a compromise
for when one didn't have a local key generation system (though I know
there are considerations running the key software on X networks, where
one may accidentally run the key generator on a remote host, thus
passing the secret password in clear text via telnet). But if you've
got a laptop, why pre-generate keys, and then encrypt them? Just
generate them as needed. S/key is available for DOS and Macs.
Mark
Follow-Ups:
|
|
