Strong Authentication

[Sam Hartman]

>>>>> "benoit" == benoit  <bgrange at vasco.com> writes:

    benoit> Hi, My name is Benoit Grange and I’m working in for
    benoit> VASCO Data Security as Director for product integration.
    benoit> VASCO is a company focused on strong Authentication. We
    benoit> produce hardware devices for strong two factors
    benoit> authentication.(HYPERLINK
    benoit> "http://www.vasco.com/"www.vasco.com) I’ve installed
    benoit> the MIT KDC and I’m very impressed. I would like to
    benoit> discuss with you a possible integration of our strong two
    benoit> factors authentication mechanism in your MIT KDC. The
    benoit> strong authentication would come in replacement to the
    benoit> static password.  Is that something that could generate an
    benoit> interest for you?

In principle we're not opposed to two-factor authentication
integration.  Someone approach us about this recently and we seem to
have failed to have time to actually review their design or work with
them on the integration work.  So I cannot promise any great success.
I wish we had more resources available.

In general the Kerberos community has been fairly unimpressed with
two-factor authentication based on biometrics.  In order to be useful
you need to have trusted hardware, which significantly differs from
the design assumptions of Kerberos.  If you're willing to key each of
your biometric readers, you can do something reasonable with Kerberos,
at least until one of your readers is compromised.  But the compromise
of one reader tends to compromise the entire system.

With two-factor tokens, you tend to get better security, so the
Kerberos community has put much more work in to solutions like the
single-use authentication mechanism draft and pkinit.

--Sam