> The only thing that authentication-only solutions buy you is that you
> have (more or less) authenticated the user on the Internet for the brief
> instants when the connection is being set up. Any decent hacker will
> let monitor the traffic going to the firewall, watch the user authenticate
> himself to the firewall and then log onto their system. After the user
> has logged in and is happily typing away, the hacker will hijack the user's
> session - leaving the hacker logged in to the system, uploading system
> cracking software, trojan horses, worms, etc. - while the bewildered
> (and soon-to-be irate user is trying to figure out why the network
> connection just went down.
However this is assuming that the `hacker` is sitting somewhere on the path
of data flow, with a system with a hacked IP stack to allow hijacking. In
practice the chances of this are actually fairly small. A simple data
encryption scheme would make it almost nil.
A combination of session encryption (expensive, from a CPU standpoint) and
one-time password would by an ideal, strong access system; but until some
encryption standards come about and are in general use, the one-time password
is about as good as you can reasonably do for now.