Any thoughts on this device? At first glance, it doesn't seem particularly impressive... http://www.quizid.com/ Lovely idea of two-factor authentication: The user then enters their user name (something they know) and the 8-digit Quizid passcode (something they have) into the login screen of their application. BBC NEWS | Technology | Handy future for online security http://news.bbc.co.uk/1/hi/technology/2334491.stm Excerpt from the BBC article: Users are issued with a card and a personal code, based on a set of colour keys on the card. Each time they wish to conduct a secure transaction, they punch in the colour code and a random number is generated. M. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
Marc Branchaud wrote:
Any thoughts on this device? At first glance, it doesn't seem particularly impressive...
Looks like hardware S/Key, doesn't it? If I could fool the user into entering a quizcode, then it seems like I could get the device and the admin database out of sync and lock the user out of the system. /r$ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
On Thu, Oct 17, 2002 at 02:39:55PM -0400, Rich Salz wrote: | Marc Branchaud wrote: | >Any thoughts on this device? At first glance, it doesn't seem | >particularly impressive... | > | >http://www.quizid.com/ | | Looks like hardware S/Key, doesn't it? | | If I could fool the user into entering a quizcode, then it seems like I | could get the device and the admin database out of sync and lock the | user out of the system. Aww, Rich, that trick never works! More seriously, most of the vendors will search forwards and back through the expected codes to make the attack less likely to work. (If authentication is centralized, searching backwards may not be a security risk.) I think the most interesting part of this is the unit looks cool, and its spun slightly differently than other tokens have been. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
On Thursday, Oct 17, 2002, at 19:39 Europe/London, Rich Salz wrote:
Marc Branchaud wrote:
Any thoughts on this device? At first glance, it doesn't seem particularly impressive... http://www.quizid.com/
Looks like hardware S/Key, doesn't it?
If I could fool the user into entering a quizcode, then it seems like I could get the device and the admin database out of sync and lock the user out of the system.
[Note: I have an interest, since QuizID use nCipher hardware] Their device has a neat way of synchronizing the sequence number to the server which both avoids the clock drift problems that trouble RSA SecurID and mean that you'd have to get the user to pass you a large number of codes before you got them out of sync with the server. It also helps them avoid some of RSA's later patents which deal with their troublesome clock sync problems. Nicko
participants (4)
-
Adam Shostack -
Marc Branchaud -
Nicko van Someren -
Rich Salz