not in ohio
|reply to antdude |
Re: Google Declares War on the Password
Does no-one in the security forum except me actually use a hardware logon token for anything? There seems to be a lot of resistance to having any physical thing that helps logon security.
For the record, the problems with the current hardware logon-token approaches are:
1. As far as I know, it's site-specific [my RSA token has to be known to the web site in question], so isn't going to scale
2. I have to copy the digits from the token to the password-entry form: but this is fixable by having a token with a USB interface
3. It doesn't eliminate passwords, and nor should it (for the same reasons that having an ATM card doesn't eliminate PINs). But it does reduce required password complexity.
I don't see that the Wired article is suggesting much more than using the same sort of approach but making it more ubiquitous. And smaller.
Since it's actual money involved with the web site in question, I'm glad of the incremental protection of the token on top of the password.
For the record, I've never lost it, forgotten it, or suffered more inconvenience than having left the token in my coat downstairs when I'm upstairs.
The technology question we perhaps ought to consider here is: how secure is it to rely on a single authentication service?