hartmans at MIT.EDU
Thu May 13 16:57:24 EDT 2004
>>>>> "benoit" == benoit <bgrange at vasco.com> writes:
benoit> Hi, My name is Benoit Grange and Im working in for
benoit> VASCO Data Security as Director for product integration.
benoit> VASCO is a company focused on strong Authentication. We
benoit> produce hardware devices for strong two factors
benoit> "http://www.vasco.com/"www.vasco.com) Ive installed
benoit> the MIT KDC and Im very impressed. I would like to
benoit> discuss with you a possible integration of our strong two
benoit> factors authentication mechanism in your MIT KDC. The
benoit> strong authentication would come in replacement to the
benoit> static password. Is that something that could generate an
benoit> interest for you?
In principle we're not opposed to two-factor authentication
integration. Someone approach us about this recently and we seem to
have failed to have time to actually review their design or work with
them on the integration work. So I cannot promise any great success.
I wish we had more resources available.
In general the Kerberos community has been fairly unimpressed with
two-factor authentication based on biometrics. In order to be useful
you need to have trusted hardware, which significantly differs from
the design assumptions of Kerberos. If you're willing to key each of
your biometric readers, you can do something reasonable with Kerberos,
at least until one of your readers is compromised. But the compromise
of one reader tends to compromise the entire system.
With two-factor tokens, you tend to get better security, so the
Kerberos community has put much more work in to solutions like the
single-use authentication mechanism draft and pkinit.
More information about the krbdev