Slashdot Mirror
What Kind Of Remote Authentication Do You Use?
Iphtashu Fitz asks: "I have worked for a number of companies that implement different types of security policies for remote access. This has ranged from simply setting up a PPTP server with static passwords to bastion hosts using authentication tokens like RSA Security's SecurID and CRYPTOCard's product by the same name. Most people agree that static passwords on a PPTP server aren't all that secure, and anyway it's not all that easy to integrate with Linux servers. SecurID and CRYPTOCard are much more secure because they use one-time passwords generated by hardware tokens. However, when I used SecurID it seemed that their tokens would regularly lose synchronization with the server (not to mention they would expire every two years or so and were expensive to replace). The CRYPTOCard keychain token doesn't have the synchronization problem that RSA's does but it's also a pain to use because of the way you enter a PIN into it. What kind of authentication system(s) do you use where you work? What do you like and hate about it? How would you make it better if you could?"
What's this error that I see?
I do not like this 503.
How can this have come to be,
Using software that is free.
The US Army uses SecureID and Kerbose. They also use a short timeout on the tickets. I have been using it for some time now and as an end user I like it.
The system works on everything from linux, Unicos (Cray), AIX (IBM), Solaris (Sun), and every ones favorite Windows!
why I just use 'enter' it's easy to type and even easier to remember!
I write code.
One neat aspect of SecurID is they have it on lots of gadgets - aside from the tokens, you can run it on Palm, PocketPC, and Blackberry pagers. I just wish it ran on my phone. Then I wouldn't have to carry a keyfob token.
Here.
I looked at this awhile back. It was cheaper and seemed more robust than the SecureID stuff. Plus, it's event based, not time based. You don't have to wait a minute before logging into another device, you just hit the button and take the next code. If it gets out of sync, just enter the next 5 codes in, and it syncs back up, no calling the IT dept or messing around with timing.
Need Free Juniper/NetScreen Support? JuniperForum
Kerberos is generally the standard among Higher Education. PKI Certificate authentication is also explored quite a bit, but it suffers from being an architecture written almost entirely in Powerpoint.
We also use RSA Secure ID tokens, but only as a second form of auth and only required for highly sensitive operations.
We are also rolling out a web single sign on system which build off of Kerberos called Cosign.
Some of the more clueless departments (or those who simply do not know how to run anything else) are clamoring for a Windows Active Directory Domain, which we are going to provide, only it is going to be an authentication slave to our MIT Kerberos realm (There is no way in hell our access id and passwords will live on MS software)
Finkployd
bam- vpn.. Yes, she has three open ports on her wifi adapter, (ok, I'm out, but I'll put in an uplink or buy a new 8port)
why can't someone make a cheap (*behind the router*) box that lets me VPN over the internet safely, at a reasonable pricepoint? no config required other than a 256 character matching password and the IP of the other machine? they talk to each other from behind the router, and act as if they were local computers for the lan?
every day http://en.wikipedia.org/wiki/Special:Random
Keyfobs with customized VPN software on them. Downside is you need Linux or Windows to use it. What I'd LIKE to see- is customized VPN software that runs on a variety of machines, with both USB and SD interfaces (for handhelds and phones and such) combined with a thumbprint or retina scanner- biometrics baby, it's the only way to be sure the guy logging on is who he says he is.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
that the voice on the other tin can isn't faking their voice.
I use ActivCard. Basically the same as SecurID, but the credit card-based smartcard can be read in a USB card reader w/ appropriate software or a standalone card reader. No need to change cards after 2 years. You can also store your own digital certicates on the card.
However, when I used SecurID it seemed that their tokens would regularly lose synchronization with the server (not to mention they would expire every two years or so and were expensive to replace).
Yes, I had that problem repeatedly when a large client first went to this system. But it quit doing that at least a year ago.
There are also any number of cert. based authentication like Permeo.com and Aventail.com. Cheers, -Pk
SecurID tokens last 5 years and the software version lasts 10 years.
We used RSA SecurID for ourselves and customers, but they're very expensive and the fobs either died or lost sync well before their end of life (50% failure rate!)
We've moved onto Vasco Go-3 keyfobs - cheaper, smaller, lighter, 5 year battery life and, so far, more reliable hardware and no sync problems.
They have challenge-response and transaction signing cards too.
C
We use the Cryptocard card token. It is more convenient than the keychain token because you have a calculator-style keypad to enter your PIN.
That said, it is still remarkably difficult to purchase and use any of these tokens in a small shop (or home environment). Cryptocard is more small-business friendly than SecurID, but both are mainly targeted at the large enterprise.
I tried that, but it doesn't seem to recognize the zero option. No wonder your comment failed to be insightful.