Floating in the Two-Factor Authenticator Tsunami?

gmerideth asks: "Working as a security consultant, I have access to a multitude of clients' networks through physical and VPN connections. Recently, due to the on-going issues of data theft, our clients have started implementing two-factor authentication using different providers. The result is a keychain that I carry around with our company key, clients keys, and a key for online access to my local area bank. I am slowly drowning in a sea of two-factor authenticators with sticky tape on the back of them, so that I can remember which key belongs to whom. What alternatives are there? Are there open projects or private products that provide a remote, secure, trusted authentication service that can provide for network/VPN authentication for Windows and Linux, using a single key among separate, private networks? If not, will step up to the plate and make it, or at least point me to a site that sells big keychains?"

Re:VeriSign's Unified Authentication

[Peterl]

Of course this leaves us stuck with Verisign being the single vendor and the single point of failure. No doubt they're going to price themselves accordingly once they get a commanding share of the token market. And, of course, they're sure to protect our records and not resell that data. Um, yeah.

Ideally, you could use any token that met the standard. Buy your own, or the company you need to use it will will sell you one (perhaps subsidized or free depending on their business model). It could easily be rolled in to the setup fee on your checking account, for example.

Smartcards aren't particularily expensive these days.

Re:VeriSign's Unified Authentication

[BeBoxer]

You enter this pin into your token, and get a result back that is actually something like: Sign(time+pin+random, your_key)

I don't think this actually works in practice. Who wants to type a digital signature into a web form? No, really. It would be such a collosal pain in the ass nobody would do it. Think about it. You could go with a 512 bit RSA key (quite weak by todays standards.) With RSA, the signatures are the same size as the key. So to type the signature into a web form you need to enter 512 bits of information. If you could actually enter all 255 ASCII codes in directly, it would be 64 key presses. A more realistic example would be entering a 1024 bit signature in hex. That's 256 characters to enter!

Even standard tokens, which use symmetric ciphers, don't have the users enter the entire output of the encryption. Just enough to make guessing unlikely (7 or 8 digits usually.) This works because both sides know the correct "answer" and can calculate the subset which is actually being transferred. But with a public key signature, only one side can calculate the answer. The other side can only verify it. And to verify it, they have to know the entire result. You can't take half of an RSA signature and verify it.

Which isn't to say your idea is totally off base. It would work great IF your token connected to the computer via USB or something. But doing that requires software on the PC, and some sort of more sophisticated web authentication. Entering something into a field in a form won't work. It's a great idea, but has much higher hurdles to adoption.