Two-factor Authentication Options?

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Thu Jul 15 14:45:15 EDT 2004


Henry,

The CyberSafe TrustBroker products currently support RSA SecurID, VASCO
Digipass and SecureComputing SafeWord tokens. They also support smart
cards via PKINIT.

Thanks, Tim.

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Henry B. Hotz
Sent: 15 July 2004 19:10
To: kerberos at mit.edu
Subject: Two-factor Authentication Options?

In the long run the Kerberos password is a problem because the human  
brain does not obey Moore's law.  As I see it the solution is to use  
some form of two-factor authentication for the initial ticket exchange.

So what options are there in that space?

AFAIK none --- with the standard open source servers.  There are  
patches available for MIT to support CRYPTOcard and SecureID.  There  
are patches available for Heimdal to support X509 certificates  
(PKINIT).

Anything else out there?

While I'm on the subject, let me throw out an idea:  smart card  
authentication that requires an existing tgt to authenticate.  The user

first gets an ordinary tgt for smith at REALM.  Then (s)he uses that tgt  
in conjunction with with the smart card (IF details unspecificed) to  
acquire a tgt for either smith/secure at REALM, or smith at SECURE.REALM.   
This isn't the forum to discuss a new proposal, but maybe someone knows

of something?
------------------------------------------------------------------------

----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos





More information about the Kerberos mailing list