OTP, deployability.

[Nico Williams]

Right, we need OTP tokens to be key-generating for this.  But we want
that anyways, so we can use the OTPs as keys or as part of key
derivation.

PA-ENC-TIMESTAMP with password + OTP (and PIN, but since the PIN
becomes, effectively, a part of the password, it may not add very
much) would be hard to crack with an offline dictionary attack.  The
password would contribute, say, some 32 bits of entropy to the
keyspace search, while the OTP would contribute some, say, 20 bits.
52 + a high enough PBKDF2 iteration count + frequent password changes
(every 90 days will probably do) would be plenty good enough for now.

Plus PA-ENC-TIMESTAMP could be used this way inside a FAST tunnel, in
which case the main value of doing this password + OTP thing is that
it is less disruptive than a new pre-auth type would be.

Nico
--