On Thursday, Oct 17, 2002, at 19:39 Europe/London, Rich Salz wrote:
Marc Branchaud wrote:
Any thoughts on this device? At first glance, it doesn't seem particularly impressive... http://www.quizid.com/
Looks like hardware S/Key, doesn't it?
If I could fool the user into entering a quizcode, then it seems like I could get the device and the admin database out of sync and lock the user out of the system.
[Note: I have an interest, since QuizID use nCipher hardware] Their device has a neat way of synchronizing the sequence number to the server which both avoids the clock drift problems that trouble RSA SecurID and mean that you'd have to get the user to pass you a large number of codes before you got them out of sync with the server. It also helps them avoid some of RSA's later patents which deal with their troublesome clock sync problems. Nicko